# Microsoft Safe Links

Microsoft Safe Links is a Microsoft Defender for Office 365 capability that rewrites URLs in inbound email and performs time-of-click verification to block users from reaching malicious links. Enabling the **Safe Links** data feed on your existing Microsoft O365 connector forwards click events to Radiant Security. Radiant uses these events for AI triage, giving analysts visibility into phishing links accessed from unmanaged devices and identifying users who clicked from personal machines.

For background on the feature, see [Safe Links in Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links).

### Prerequisites

* [ ] Admin access to Microsoft 365
* [ ] An existing [Microsoft O365](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/microsoft-o365) connector in Radiant Security, configured with message trace permissions

### Enable Safe Links in Microsoft 365

1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/).
2. In the left sidebar, navigate to **Email & collaboration** > **Policies & Rules**.
3. Click **Threat policies**, then select **Safe Links**.
4. Click **+ Create** to add a new policy and add all users, groups, or domains to monitor. The screenshot below shows the mandatory and preferred settings:
   * Mandatory settings (outlined in <mark style="color:red;">red</mark>):
     * **On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.**
     * **Apply Safe Links to email messages sent within the organization**
   * Preferred settings (outlined in <mark style="color:blue;">blue</mark>):
     * **Track user clicks**
     * **Let users click through to the original URL**

<div align="left"><figure><img src="/files/uGeQjgoINGEREIwqqRLj" alt=""><figcaption></figcaption></figure></div>

5. Leave all other settings unchanged, then click **Submit**.

{% hint style="info" %}
Once enabled, Microsoft rewrites all email links with the Safe Links prefix `https://nam01.safelinks.protection.outlook.com`.
{% endhint %}

### Enable the Safe Links data feed in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors**.
3. Locate the row for the **Safe Links** data feed under your existing **Microsoft O365** connector.
4. On the right side of the row, click **Enable**.

### Verify ingestion

After Safe Links begins forwarding, confirm events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"ms365_safe_links"`.
3. Confirm recent events appear.

{% hint style="info" %}
Allow several minutes for events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/microsoft-safe-links.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.