On Tuesday 12th of December 2023 Informations Services (IS) enabled the “SafeLink” feature of the Office 365* mail service.
This doesn’t seem to have been very well announced, and came as a surprise even to the Informatics computing staff.
The basics are now that when a mail is delivered into your Office 365 mailbox, any links in it are rewritten into a https://eur02.safelinks.protection.outlook.com/…. style URL, so that anyone clicking on it will actually be taken to a service that checks the original destination URL for malware and the likes, and only forwarding you onwards if it is deemed safe.
This is being done to lessen the chance of someone falling victim to a phishing or ransomware attack, and the potential damage this could cause the University.
If you are already used to HTML based email, and use Microsoft products to read your mail, then you may hardly notice this change. “plain text” users, however, will see these quite intrusive changes.
We have already passed on our concerns about the communications around this change, and the data privacy (as each “safelink” URL now contains user identifiable data in it). We are awaiting a response to these issues, and will update this post with their reply.
For more details on this change, see https://www.ed.ac.uk/information-services/help-consultancy/it-help/email-and-office365/microsoft-365-safe-links which also points out this feature affects also affects Teams and other MS applications like Word, Excel etc.
For some Microsoft technical details on Safelink, see https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about
* Office 365 is now officially called “Microsoft 365”
A College level complaint about the rollout and implementation of Safelinks was sent to IS a week or so ago, we are still awaiting an official response to the points raised.
The DPIA question was raised, and the existing DPIA for the general use of Office 365 was used to cover any concerns. However this can be reviewed, given the now obvious real world implications of the use of Safelinks, and private data being leaked when forwarding or coping and pasting URLs.
Presently only two of our services have been white listed: lists.inf and web.inf, however we are hopeful that some 50 other inf.ed.ac.uk services will be added to that list shortly.
An official response was received, and can be viewed in the documents attached to https://computing.help.inf.ed.ac.uk/safelinks . We are also now temporarily able to exempt all academic and research staff from SafeLinks, see post to staff dated 21/2/2024.