Detections
Analytics

2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled

Information

Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.

Note: E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to Pass the highest priority policy must match all settings recommended.

Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 -

Navigate to Microsoft 365 Defender

https://security.microsoft.com

 -

Under Email & collaboration select Policies & rules

 -

Select Threat policies then Safe Links

 -

Click on +Create

 -

Name the policy then click Next

 -

In Domains select all valid domains for the organization and Next

 -

Ensure the following URL & click protection settings are defined:

Email

 - Checked On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default
 - Checked Apply Safe Links to email messages sent within the organization
 - Checked Apply real-time URL scanning for suspicious links and links that point to files
 - Checked Wait for URL scanning to complete before delivering the message
 - Unchecked Do not rewrite URLs, do checks via Safe Links API only.

Teams

 - Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten

Office 365 Apps

 - Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten

Click protection settings

 - Checked Track user clicks
 - Unchecked Let users click through the original URL
 - There is no recommendation for organization branding.

 -

Click Next twice and finally Submit

To remediate using PowerShell:

 - Connect using Connect-ExchangeOnline
 - Run the following PowerShell script to create a policy at highest priority that will apply to all valid domains on the tenant:

# Create the Policy
$params = @{
 Name = "CIS SafeLinks Policy"
 EnableSafeLinksForEmail = $true
 EnableSafeLinksForTeams = $true
 EnableSafeLinksForOffice = $true
 TrackClicks = $true
 AllowClickThrough = $false
 ScanUrls = $true
 EnableForInternalSenders = $true
 DeliverMessageAfterScan = $true
 DisableUrlRewrite = $false

}

New-SafeLinksPolicy @params

# Create the rule for all users in all valid domains and associate with Policy
New-SafeLinksRule -Name "CIS SafeLinks" -SafeLinksPolicy "CIS SafeLinks Policy" -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0

Impact:

User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv7|7.4

Plugin: microsoft_azure

Control ID: 941342503dd36c4fff6953812dca72e6b66f5dcd6277c5665a84ec9f18efbf6a