Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

Computing Systems

Computing Systems

Informatics Computing Staff jottings

Microsoft Safelinks

On Tuesday 12th of December 2023 Informations Services (IS) enabled the “SafeLink” feature of the Office 365* mail service.

This doesn’t seem to have been very well announced, and came as a surprise even to the Informatics computing staff.

The basics are now that when a mail is delivered into your Office 365 mailbox, any links in it are rewritten into a https://eur02.safelinks.protection.outlook.com/…. style URL, so that anyone clicking on it will actually be taken to a service that checks the original destination URL for malware and the likes, and only forwarding you onwards if it is deemed safe.

This is being done to lessen the chance of someone falling victim to a phishing or ransomware attack, and the potential damage this could cause the University.

If you are already used to HTML based email, and use Microsoft products to read your mail, then you may hardly notice this change. “plain text” users, however, will see these quite intrusive changes.

We have already passed on our concerns about the communications around this change, and the data privacy (as each “safelink” URL now contains user identifiable data in it). We are awaiting a response to these issues, and will update this post with their reply.

For more details on this change, see https://www.ed.ac.uk/information-services/help-consultancy/it-help/email-and-office365/microsoft-365-safe-links which also points out this feature affects also affects Teams and other MS applications like Word, Excel etc.

For some Microsoft technical details on Safelink, see https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about

Neil

* Office 365 is now officially called “Microsoft 365”

Update 25/1/2024

A College level complaint about the rollout and implementation of Safelinks was sent to IS a week or so ago, we are still awaiting an official response to the points raised.

The DPIA question was raised, and the existing DPIA for the general use of Office 365 was used to cover any concerns. However this can be reviewed, given the now obvious real world implications of the use of Safelinks, and private data being leaked when forwarding or coping and pasting URLs.

Presently only two of our services have been white listed: lists.inf and web.inf, however we are hopeful that some 50 other inf.ed.ac.uk services will be added to that list shortly.

Update 22/2/2024

An official response was received, and can be viewed in the documents attached to https://computing.help.inf.ed.ac.uk/safelinks . We are also now temporarily able to exempt all academic and research staff from SafeLinks, see post to staff dated 21/2/2024.

 

Microsoft Safelinks / Computing Systems by is licensed under a

Posted by

Categories

Information News

Tags

No tags have been added to this post.

Previous post

Next post

1 replies to “Microsoft Safelinks”

  1. neilb says:
    14 December 2023 at 12:38

    A concerned citizen commented:

    – In some cases multipart/alternative mail with plaintext and HTML parts
    gets only the HTML transformed, with the plain text untouched. Your
    blogtrottr post had this property when it arrived in my mailbox. This is
    pleasant for the recipient, but also a vulnerability in the “SafeLink”
    deployment. I’m reluctant to report it as such, though, on the off-chance
    it might get fixed.
    – – Yes, I’d noticed this. I’ve also noticed that some messages with the footer as a separate attachment, doesn’t munge URLs in those too. I’ve not investigated further.

    – I was pleased to see the alpine mail client is now attaching a warning to
    every one of these mails to say it contains deceptive links. Which is true
    enough, I suppose…

    Reply

Leave a reply to neilb

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Microsoft Safelinks / Computing Systems by is licensed under a
css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel