disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1566
o365
elastic

Techniques

T1566

Sample rules

Microsoft 365 Exchange Safe Link Policy Disabled

source: elastic
technicques:
- T1566

Description

Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.

Detection logic

event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success