Safe Links - UBmail (Exchange Online)
Links appearing in your UBmail are scanned and made safer to click.
How it works
As new email comes in, any links or URLs (web addresses) in the email are scanned and rewritten to be safer. This protects you from accidentally clicking on malicious code that could harm your computer or steal your personal information.
Safe Link features
Information contained in a Safe Link URL:
- A prefix that reroutes the URL being clicked through the Safe Link service
- The email address associated with the recipient of the email
- An encoded string pointing to the original URL
- A long string of characters that indicate the Safe Link settings for the recipient at the time the email was rewritten
What does https://nam12.safelinks.protection.outlook.com do with this data (is it stored)?
- When somebody clicks a Safe Link, Microsoft stores this data in order to assist the response when a URL delivered in email to Exchange Online mailboxes is found to be malicious. Microsoft provides a tool for UBIT security administrators to assess the impact of any particular phishing campaign, and find and notify people who may have clicked a malicious URL (please note that this identification does not work when email is forwarded to a non-UB email address, because the Safe Link will contain the sender’s email address instead). Per Microsoft, the stored data is not used for any other purpose.
Is there a way to automatically undo the Safe Link re-writing when forwarding a message?
- There is a UB-hosted tool to display the original URL from a Safe Link: https://safelinks.apps.buffalo.edu
- Newer versions of Outlook will display the original link when you hover over the URL in an HTML-encoded email.
Additional Safe Link nuances:
- If an email with a Safe Link is forwarded to someone using Exchange Online at UB, the email address in the Safe Link is replaced with the recipient’s email address.
- If a sender digitally signs their email with a personal digital certificate, and/or encrypts a message, Safe Links will not alter the contents of the message.
- Safe links are only applied to email received in Exchange Online. Email sent from an Exchange Online email account will not contain Safe Links if the recipient is not using Exchange Online, unless the message is being forwarded or replied to and already contains a Safe Link.
Going forward
- Requests to disable Safe Links will be denied. In consultation with the UBIT Help Center and other IT support specialists that interact with UB faculty, staff and students on a daily basis an assessment was made that Safe Links provide an overall increase in security.
Expected SafeLink Behavior in Client Scenarios
Source and Destination Safe Link Insertion
| Mail Flow Source | Mail Flow Destination | Safe Links Inserted | Safe Links Not Inserted |
| Exchange Online | External | X | |
| Exchange Online | Exchange On-Premise | X | |
| Exchange Online | Exchange Online | X | |
| External | Exchange On-Premise | X | |
| External | Exchange Online | X | |
| Exchange On-Premise | External | X | |
| Exchange On-Premise | Exchange On-Premise | X | |
| Exchange On-Premise | Exchange Online | X |
Safe Link Client Behaviors
| Client | Formatting | Body Text | Hover | Preview Pane Bottom Bar |
| Outlook | Plain Text | Safe Link | Safe Link | Safe Link |
| Outlook | HTML | No Safe Link | No Safe Link | Safe Link |
| Outlook Legacy Versions | Plain Text | Safe Link | Safe Link | Safe Link |
| Outlook Legacy Versions | HTML | No Safe Link | Safe Link | Safe Link |
| Third Party Clients | Plain Text | Safe Link | Client Dependent | Client Dependent |
| Third Party Clients | HTML | No Safe Link | Client Dependent | Client Dependent |
Safe Links Signing Certificate Behavior
| Configuration | Safe Link URL Behavior |
| No Signing Configured on Device | SafeLink URLs change to reflect your email address |
| Signing Disabled by Default and Send Unsigned | SafeLink URLs change to reflect your email address |
| Signing Disabled by Default and Send Signed | SafeLink URLs do NOT change to reflect your email address |
| Signing Enabled by Default and Send Unsigned | SafeLink URLs do NOT change to reflect your email address – This is the outlier vs expectations. It is possible certain message headers are crafted before signing cert is removed |
| Signing Enabled by Default and Send Signed | SafeLink URLs do NOT change to reflect your email address |
Common questions
Is it always safe to click on a Safe Link?
While Safe Links make clicking on most links in your UBmail safer, there’s still some risk. You should continue exercising caution when clicking on links in email. Learn more about recognizing a phishing attempt.
Why am I receiving emails with links that are long and unreadable?
The message may have been sent in plain text. Most modern email (including Exchange Online) uses HTML-formatted text.
How can I get a nicer-looking link to copy and paste?
Use any one of the following tips:
- Click the link. On the new page, copy the URL (web address) from the browser’s address bar.
- Use the Safe Links decoder at https://safelinks.apps.buffalo.edu
- Ask the email sender to turn on HTML formatting
Is there a way to request a URL be allow listed?
UBIT is reviewing the policy and configuration around Safe Links allow listing.
See also
Still need help?
Contact the UBIT Help Center.