Example of Office 365 ATP Safe Links in action


The above is a very typical example of a phishing email. You’ll notice when you mouse over the link in the email it wants to re-directed you to a non-descript and malicious (non-Office 365) link.


Now, because I’ve configured Office 365 ATP (Advanced Threat Protection) Safe Links in my tenant, when I do click that link in the email I am taken to the above page that warns me that this is bad.


Because I have configured my own Office 365 ATP Safe Links to allow click past this warning just for myself, if I continue on to the ultimate destination page, I see something that looks like a very convincing default Office 365 login page, with my email address already filled in. The idea is, I type my password, thinking this is legitimate and then bingo, I’m phished.

You will also notice that the ultimate URL is also different from the one in the initial email. An attempt to hide the attack using redirection.


So let’s see how effective Office 365 ATP Safe Links is at detecting these kinds of attacks compared to other vendors.

If I plug the initial URL, that was contained in the email, into Virustotal.com I see the above report. None, yes that is zero, of the third party AV providers have detected this initial link to be a malicious link as yet. Not even Google Safebrowsing! Of course, Office 365 ATP did detect it as malicious if you are keeping score.


If I now plug in the ultimate destination URL of the attack I do see some confirmation from other vendors that the site is malicious. However, only 2 of 69 vendors (i.e. only about 3%) also rate that link as malicious.

So Office 365 ATP Safe Links was able to identify this link as malicious and potentially block user access (with appropriate configuration). Few other vendors have yet even detected it to be an issue at this stage. That makes Office 365 ATP quite pro-active.

We all know that there are no absolutes in security and no system is ever perfect. However, given the size of the signals coming into Office 365 in regards to threats, their ability to provide early warning is as good or if not better that anything else out there on the market today in my opinion. This is why I recommend Office 365 ATP as a ‘must have’ for all Office 365 tenants. If you have Microsoft 365 Business today, you already have Office 365 ATP. So make sure it is correctly configured and you should feel much more comfortable about the reduced risk you face from phishing.

Updated script to now check for Sweep


The bad actors out there are clever and they’ll use any means at their disposal. Normally, when a user is successfully phished the first thing bad actors do is manipulate the email handling rules of the mailbox to hide their activity.

Unfortunately, there are quite a lot of different ways to forward email in Office 365 including via the mailbox and via Outlook client rules. It was brought to my attention that there is in fact another way that forwarding can be done, using the Sweep function. You can read more about this ability at:

Organize your inbox with Archive, Sweep and other tools in Outlook.com

Sweep rules only run once a day but do provide a potential way for bad actors to hide their activity, however as it turned out Sweep was in fact being exploited by bad actors inside a compromised mailbox.

I have therefore updated my publicly available PowerShell script at:


That will now also check and report on any Sweep rules in finds in mailboxes as well as any other forwards configured in the tenant.

Let me know if you find any other methods that this doesn’t cover and I’ll look at incorporating those as well.