Safe Links - UBmail (Exchange Online)

Links appearing in your UBmail are scanned and made safer to click.

How it works

As new email comes in, any links or URLs (web addresses) in the email are scanned and rewritten to be safer. This protects you from accidentally clicking on malicious code that could harm your computer or steal your personal information.

Safe Link features

Information contained in a Safe Link URL:

  • A prefix that reroutes the URL being clicked through the Safe Link service
  • The email address associated with the recipient of the email
  • An encoded string pointing to the original URL
  • A long string of characters that indicate the Safe Link settings for the recipient at the time the email was rewritten

What does https://nam12.safelinks.protection.outlook.com do with this data (is it stored)?

  • When somebody clicks a Safe Link, Microsoft stores this data in order to assist the response when a URL delivered in email to Exchange Online mailboxes is found to be malicious. Microsoft provides a tool for UBIT security administrators to assess the impact of any particular phishing campaign, and find and notify people who may have clicked a malicious URL (please note that this identification does not work when email is forwarded to a non-UB email address, because the Safe Link will contain the sender’s email address instead). Per Microsoft, the stored data is not used for any other purpose.

Is there a way to automatically undo the Safe Link re-writing when forwarding a message?

  • There is a UB-hosted tool to display the original URL from a Safe Link:  https://safelinks.apps.buffalo.edu
  • Newer versions of Outlook will display the original link when you hover over the URL in an HTML-encoded email.

Additional Safe Link nuances:

  • If an email with a Safe Link is forwarded to someone using Exchange Online at UB, the email address in the Safe Link is replaced with the recipient’s email address.
  • If a sender digitally signs their email with a personal digital certificate, and/or encrypts a message, Safe Links will not alter the contents of the message.
  • Safe links are only applied to email received in Exchange Online. Email sent from an Exchange Online email account will not contain Safe Links if the recipient is not using Exchange Online, unless the message is being forwarded or replied to and already contains a Safe Link.

Going forward

  • Requests to disable Safe Links will be denied. In consultation with the UBIT Help Center and other IT support specialists that interact with UB faculty, staff and students on a daily basis an assessment was made that Safe Links provide an overall increase in security.

Expected SafeLink Behavior in Client Scenarios

Source and Destination Safe Link Insertion

Mail Flow Source Mail Flow Destination Safe Links Inserted Safe Links Not Inserted
Exchange Online External   X
Exchange Online Exchange On-Premise X  
Exchange Online Exchange Online X  
External Exchange On-Premise   X
External Exchange Online X  
Exchange On-Premise External   X
Exchange On-Premise Exchange On-Premise   X
Exchange On-Premise Exchange Online X  

Safe Link Client Behaviors

Client Formatting Body Text Hover Preview Pane Bottom Bar
Outlook Plain Text Safe Link Safe Link Safe Link
Outlook HTML No Safe Link No Safe Link Safe Link
Outlook Legacy Versions Plain Text Safe Link Safe Link Safe Link
Outlook Legacy Versions HTML No Safe Link Safe Link Safe Link
Third Party Clients Plain Text Safe Link Client Dependent  Client Dependent 
Third Party Clients HTML No Safe Link Client Dependent  Client Dependent 

Safe Links Signing Certificate Behavior

Configuration Safe Link URL Behavior
No Signing Configured on Device SafeLink URLs change to reflect your email address
Signing Disabled by Default and Send Unsigned SafeLink URLs change to reflect your email address
Signing Disabled by Default and Send Signed SafeLink URLs do NOT change to reflect your email address
Signing Enabled by Default and Send Unsigned SafeLink URLs do NOT change to reflect your email address – This is the outlier vs expectations. It is possible certain message headers are crafted before signing cert is removed
Signing Enabled by Default and Send Signed SafeLink URLs do NOT change to reflect your email address

Common questions

Is it always safe to click on a Safe Link?

While Safe Links make clicking on most links in your UBmail safer, there’s still some risk. You should continue exercising caution when clicking on links in email. Learn more about recognizing a phishing attempt.

Why am I receiving emails with links that are long and unreadable?

The message may have been sent in plain text. Most modern email (including Exchange Online) uses HTML-formatted text.

How can I get a nicer-looking link to copy and paste?

Use any one of the following tips:

  • Click the link. On the new page, copy the URL (web address) from the browser’s address bar.
  • Use the Safe Links decoder at https://safelinks.apps.buffalo.edu
  • Ask the email sender to turn on HTML formatting

Is there a way to request a URL be allow listed?

UBIT is reviewing the policy and configuration around Safe Links allow listing.

See also

Still need help?

Contact the UBIT Help Center.