Microsoft Safelinks

On Tuesday 12th of December 2023 Informations Services (IS) enabled the “SafeLink” feature of the Office 365* mail service.

This doesn’t seem to have been very well announced, and came as a surprise even to the Informatics computing staff.

The basics are now that when a mail is delivered into your Office 365 mailbox, any links in it are rewritten into a https://eur02.safelinks.protection.outlook.com/…. style URL, so that anyone clicking on it will actually be taken to a service that checks the original destination URL for malware and the likes, and only forwarding you onwards if it is deemed safe.

This is being done to lessen the chance of someone falling victim to a phishing or ransomware attack, and the potential damage this could cause the University.

If you are already used to HTML based email, and use Microsoft products to read your mail, then you may hardly notice this change. “plain text” users, however, will see these quite intrusive changes.

We have already passed on our concerns about the communications around this change, and the data privacy (as each “safelink” URL now contains user identifiable data in it). We are awaiting a response to these issues, and will update this post with their reply.

For more details on this change, see https://www.ed.ac.uk/information-services/help-consultancy/it-help/email-and-office365/microsoft-365-safe-links which also points out this feature affects also affects Teams and other MS applications like Word, Excel etc.

For some Microsoft technical details on Safelink, see https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about

Neil

* Office 365 is now officially called “Microsoft 365”

Update 25/1/2024

A College level complaint about the rollout and implementation of Safelinks was sent to IS a week or so ago, we are still awaiting an official response to the points raised.

The DPIA question was raised, and the existing DPIA for the general use of Office 365 was used to cover any concerns. However this can be reviewed, given the now obvious real world implications of the use of Safelinks, and private data being leaked when forwarding or coping and pasting URLs.

Presently only two of our services have been white listed: lists.inf and web.inf, however we are hopeful that some 50 other inf.ed.ac.uk services will be added to that list shortly.

Update 22/2/2024

An official response was received, and can be viewed in the documents attached to https://computing.help.inf.ed.ac.uk/safelinks . We are also now temporarily able to exempt all academic and research staff from SafeLinks, see post to staff dated 21/2/2024.

 

About neilb

Computing staff at the University of Edinburgh. Part of the Services Unit.
This entry was posted in Information, News. Bookmark the permalink.

1 Response to Microsoft Safelinks

  1. neilb says:

    A concerned citizen commented:

    – In some cases multipart/alternative mail with plaintext and HTML parts
    gets only the HTML transformed, with the plain text untouched. Your
    blogtrottr post had this property when it arrived in my mailbox. This is
    pleasant for the recipient, but also a vulnerability in the “SafeLink”
    deployment. I’m reluctant to report it as such, though, on the off-chance
    it might get fixed.
    – – Yes, I’d noticed this. I’ve also noticed that some messages with the footer as a separate attachment, doesn’t munge URLs in those too. I’ve not investigated further.

    – I was pleased to see the alpine mail client is now attaching a warning to
    every one of these mails to say it contains deceptive links. Which is true
    enough, I suppose…

Leave a Reply