Detections
Analytics

2.1.1 Ensure Safe Links for Office Applications is Enabled

Information

Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.

Note: E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to Pass the highest priority policy must match all settings recommended.

Rationale:

Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.

Impact:

User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To create a Safe Links policy:

Navigate to Microsoft 365 Defender https://security.microsoft.com

Under Email & collaboration select Policies & rules

Select Threat policies then Safe Links

Click on +Create

Name the policy then click Next

In Domains select all valid domains for the organization and Next

Ensure the following URL & click protection settings are defined:
Email

Checked On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default

Checked Apply Safe Links to email messages sent within the organization

Checked Apply real-time URL scanning for suspicious links and links that point to files

Checked Wait for URL scanning to complete before delivering the message

Unchecked Do not rewrite URLs, do checks via Safe Links API only.

Teams

Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten

Office 365 Apps

Checked On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten

Click protection settings

Checked Track user clicks

Unchecked Let users click through the original URL

There is no recommendation for organization branding.

Click Next twice and finally Submit

To create a Safe Links policy using the Exchange Online PowerShell Module:

Connect using Connect-ExchangeOnline.

Run the following PowerShell script to create a policy at highest priority that will apply to all valid domains on the tenant:

# Create the Policy
$params = @{
 Name = 'CIS SafeLinks Policy'
 EnableSafeLinksForEmail = $true
 EnableSafeLinksForTeams = $true
 EnableSafeLinksForOffice = $true
 TrackClicks = $true
 AllowClickThrough = $false
 ScanUrls = $true
 EnableForInternalSenders = $true
 DeliverMessageAfterScan = $true
 DisableUrlRewrite = $false

}

New-SafeLinksPolicy @params

# Create the rule for all users in all valid domains and associate with Policy
New-SafeLinksRule -Name 'CIS SafeLinks' -SafeLinksPolicy 'CIS SafeLinks Policy' -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv7|7.4

Plugin: microsoft_azure

Control ID: 8ddc7df3487acf6ad1da99ba8a0edbcc4dc86cc164e77d49f63ec09be2737c54