L1 BIO 12.02.01 ISO A.13.2.1 CIS 2.1.6

Safe Links Beleid Voor Office Applicaties

πŸ“… 2025-10-30
β€’
⏱️ 7 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Safe Links herschrijft URLs in emails en Office-documenten naar Microsoft's bescherming service die elke URL scant op het moment van klikken (time-of-click) voor malicious content, waardoor phishing sites en Download van malware worden geblokkeerd.

Aanbeveling
Implementeer
Risico zonder
Critical
Risk Score
9/10
Implementatie
4u (tech: 1u)
Van toepassing op:
βœ“ M365
βœ“ Office Apps
βœ“ Defender voor Office 365
βœ“ Word
βœ“ Excel
βœ“ PowerPoint

URL-based aanvallen in emails zijn extreem effectief en evolve snel: phishing links naar Diefstal van inloggegevens sites die inlogpagina's nabootsen, malware download links die ransomware of trojans distribueren, weaponized URLs die browser vulnerabilities exploiteren, en URL shorteners die malicious destinations verbergen. Traditionele URL filtering bij email delivery is onvoldoende omdat aanvallers de destination URL switchen NA email delivery (URL weaponization): email delivered met clean link, binnen uren switch link naar malicious site, static filtering missed de threat. Safe Links biedt time-of-click bescherming: URL wordt realtime gecontroleerd wanneer gebruiker klikt (niet bij delivery), Blokkeert indien malicious zelfs als URL clean was bij delivery, beschermt tegen URL weaponization attacks, en werkt in emails, Teams messages, EN Office documents (Word/Excel/PowerPoint embedded links). Dit voorkomt zero-hour phishing attacks waarbij attackers timing gebruiken om detectie te omzeilen.

PowerShell Modules Vereist
Primary API: Exchange Online PowerShell
Connection: Connect-ExchangeOnline
Required Modules: ExchangeOnlineManagement

Implementatie

Safe Links beleid configuratie omvat: (1) bescherming scope: alle gebruikers of priority groeps (executives, finance), (2) Schakel in voor Office apps: Word, Excel, PowerPoint, Visio - beschermt tegen malicious links in documents, (3) URL rewriting: URLs worden herschreven naar safelinks.bescherming.outlook.com/... voor realtime scanning, (4) realtime scanning: Elke klik triggert nieuwe URL reputatie check, (5) Click tracking: loggen welke users op welke URLs klikken (security analytics), en (6) Blokkeer settings: Niet toestaan dat users click via warnings (hard Blokkeer bij malicious URLs). Wanneer Schakel ind worden alle URLs in emails automatische gerewrite en gescanned. Users zien warning page bij malicious URLs met optie om door te klikken (Schakel uitd in veilige config) of terug te gaan. URLs naar bekende safe sites (Microsoft.com, etc) worden niet gerewrite voor performance.

Vereisten

Voor Safe Links Implementeeratie zijn de volgende voorwaarden vereist:

  1. Microsoft Defender voor Office 365 Plan 1 of Plan 2 licentie
  2. Exchange Administrator of Security Administrator rol
  3. PowerShell 5.1+ met ExchangeOnlineManagement module
  4. User communication plan: Explain URL rewriting (links zien er anders uit)
  5. Allowlist voor vertrouwde domains (optioneel): Internal sites die niet gescanned hoeven
  6. Testing van business-critical links: Verifieer geen false positives
  7. Browser compatibility: Modern browsers (Edge, Chrome, Firefox) ondersteund

Implementeeratie

Safe Links Implementeeratie via Microsoft 365 Defender portal:

Gebruik PowerShell-script safe-links-office.ps1 (functie Invoke-Remediation) – PowerShell script voor automatische creatie van Safe Links beleid met AANBEVOLEN settings.

Configuratie via Microsoft 365 Defender portal:

  1. Ga naar security.microsoft.com β†’ Email & collaboration β†’ beleidsregels & rules
  2. Select 'Threat beleidsregels' β†’ Safe Links
  3. Click 'Create' β†’ Name: 'Safe Links - Company Wide'
  4. bescherming settings:
  5. - On: URLs zal zijn rewritten en checked: Schakel ind
  6. - toepassen Safe Links to email messages sent binnen organization: Schakel ind
  7. - toepassen realtime URL scanning voor suspicious links en links in messages: Schakel ind
  8. - Wait voor URL scanning voordat delivering message: Schakel ind (security > speed)
  9. - doen niet rewrite URLs, alleen Controleer via Safe Links API: Schakelt uit de (gebruik rewriting)
  10. Office apps bescherming:
  11. - toepassen Safe Links to supported Office apps: Schakel ind (KRITIEK)
  12. - Office apps: Word, Excel, PowerPoint, Visio, OneNote online
  13. Click tracking:
  14. - Volg gebruiker klikt: Schakel ind (security analytics)
  15. - Let users click via to original URL: Schakelt uit de (hard Blokkeer bij malicious)
  16. Notification:
  17. - Display organization branding op warning pages: Schakel ind
  18. - aangepaste notification text: Optioneel
  19. Applied to: alle recipient domains
  20. Priority: 0 (highest)
  21. Save beleid

geavanceerd settings (optioneel):

  1. Do Not Rewrite URLs lijst: Add vertrouwde internal domains (minimal - security risk)
  2. Blokkeer URLs list: Add bekende kwaadaardige domains (complementary)
  3. aangepaste blocked URL action: Warning page met company branding

monitoring

Gebruik PowerShell-script safe-links-office.ps1 (functie Invoke-Monitoring) – PowerShell script voor validatie van Safe Links beleid configuratie.

Continue monitoring van Safe Links effectiveness:

  1. Microsoft 365 Defender portal β†’ Reports β†’ Email & collaboration β†’ bedreigingsbescherming status
  2. Safe Links detections: Hoeveel malicious URLs blocked per dag/week
  3. Top clicked URLs: Welke URLs worden meest geklikt (legitimate vs malicious patterns)
  4. Top targeted users: Wie klikt op suspicious links (extra training needed)?
  5. Click-through rate: Percentage users die warnings bypassen (zou moeten zijn 0% met hard block)
  6. False positives: Legitimate URLs incorrectly blocked (tune allowlist)
  7. Threat Explorer: geavanceerd URL analysis en campaign tracking
  8. User reported messages: Users rapporteren missed malicious links?
  9. Integration met SIEM: Export Safe Links events voor correlation analysis

Remediatie

Gebruik PowerShell-script safe-links-office.ps1 (functie Invoke-Remediation) – Herstellen.

Voor false positives (legitimate URLs geblokkeerd):

  1. Verifieer legitimacy: Is URL werkelijk safe? (VirusTotal, URLScan.io)
  2. Business impact: Kritieke business workflow geblokkeerd?
  3. Temporary fix: Submit URL via 'Report false positive' in Defender portal
  4. Permanent fix: Add URL to 'Do Not Rewrite' list (MINIMAL - security risk)
  5. Alternative: Contact website owner voor security improvements
  6. Document exception: Business justification, approval, review date

Compliance en Auditing

Safe Links is essentieel voor email security compliance: CIS Microsoft 365 Foundations Benchmark - control 2.1.6 (Zorg ervoor dat Safe Links voor Office applications is Schakel ind), BIO Thema 12.02 (Bescherming tegen malware - URL-based threats), ISO 27001:2022 A.13.2.1 (Information transfer beleidsregels - Email security), NIS2 Artikel 21 (Cybersecurity risicobeheer - Phishing prevention), en NIST CSF PR.IP-12 (kwetsbaarheidsbeheer plan). Safe Links is vaak vereist bij security audits voor M365 environments.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Safe Links Policy for Office Applications .DESCRIPTION Ensures Safe Links protection is enabled for Office applications (Word, Excel, PowerPoint). Protects against malicious URLs in Office documents. .NOTES Filename: safe-links-office.ps1 Author: Nederlandse Baseline voor Veilige Cloud Requires: Microsoft Defender for Office 365 Plan 1 or 2 .EXAMPLE .\safe-links-office.ps1 -Monitoring Check if Safe Links is enabled for Office apps #> #Requires -Version 5.1 #Requires -Modules ExchangeOnlineManagement [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [Parameter(Mandatory = $false)] [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Safe Links for Office Apps" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host "Checking Safe Links policies..." -ForegroundColor Gray $policies = Get-SafeLinksPolicy -ErrorAction Stop $result = @{ isCompliant = ($policies.Count -gt 0) total = $policies.Count officeProtected = 0 } if ($policies.Count -eq 0) { Write-Host " [FAIL] No Safe Links policies found" -ForegroundColor Red Write-Host " ⚠️ Requires Defender for Office 365" -ForegroundColor Yellow } else { foreach ($policy in $policies) { if ($policy.EnableSafeLinksForOffice) { $result.officeProtected++ Write-Host " [OK] OFFICE PROTECTED: $($policy.Name)" -ForegroundColor Green } else { Write-Host " ⚠️ OFFICE NOT PROTECTED: $($policy.Name)" -ForegroundColor Yellow } Write-Host " Email protection: $($policy.EnableSafeLinksForEmail)" -ForegroundColor Cyan Write-Host " Teams protection: $($policy.EnableSafeLinksForTeams)" -ForegroundColor Cyan Write-Host " Office protection: $($policy.EnableSafeLinksForOffice)" -ForegroundColor $( if ($policy.EnableSafeLinksForOffice) { "Green" } else { "Red" } ) } } Write-Host "`n Total policies: $($result.total)" -ForegroundColor Cyan Write-Host " Office apps protected: $($result.officeProtected)" -ForegroundColor $( if ($result.officeProtected -gt 0) { "Green" } else { "Red" } ) if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop $existing = Get-SafeLinksPolicy -ErrorAction Stop if ($existing.Count -gt 0) { Write-Host " [OK] Policies already exist" -ForegroundColor Green exit 0 } Write-Host "Creating Safe Links policy..." -ForegroundColor Gray $policyParams = @{ Name = 'Default Safe Links - NL Baseline' EnableSafeLinksForEmail = $true EnableSafeLinksForTeams = $true EnableSafeLinksForOffice = $true # KEY: Protect Office apps TrackClicks = $true AllowClickThrough = $false # Don't let users bypass warnings ScanUrls = $true EnableForInternalSenders = $true DeliverMessageAfterScan = $true } $policy = New-SafeLinksPolicy @policyParams -ErrorAction Stop Write-Host " [OK] Policy created" -ForegroundColor Green $domains = Get-AcceptedDomain | Select-Object -ExpandProperty Name $ruleParams = @{ Name = 'Default Safe Links Rule - NL Baseline' SafeLinksPolicy = $policy.Name RecipientDomainIs = $domains Priority = 0 } $rule = New-SafeLinksRule @ruleParams -ErrorAction Stop Write-Host " [OK] Rule created" -ForegroundColor Green Write-Host "`n[OK] Safe Links configured for:" -ForegroundColor Green Write-Host " β€’ Email messages" -ForegroundColor Cyan Write-Host " β€’ Teams messages" -ForegroundColor Cyan Write-Host " β€’ Office applications (Word, Excel, PowerPoint)" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { try { Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop $policy = Get-SafeLinksPolicy -Identity 'Default Safe Links - NL Baseline' -ErrorAction SilentlyContinue if ($policy) { $rule = Get-SafeLinksRule | Where-Object { $_.SafeLinksPolicy -eq $policy.Name } if ($rule) { Remove-SafeLinksRule -Identity $rule.Name -Confirm:$false -ErrorAction Stop } Remove-SafeLinksPolicy -Identity $policy.Name -Confirm:$false -ErrorAction Stop Write-Host " ⚠️ Policy removed" -ForegroundColor Yellow } exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check Safe Links configuration" -ForegroundColor Gray Write-Host " -Remediation Create Safe Links policy" -ForegroundColor Gray Write-Host " -Revert Remove policy" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK PHISHING RISICO: Zonder Safe Links slagen URL-based phishing attacks waarbij gebruikers op malicious links klikken die credentials stelen of malware downloaden. Zero-hour attacks waarbij URLs weaponized worden NA email delivery omzeilen traditional filtering. Safe Links voorkomt: Diefstal van inloggegevens via fake login pages (90% van phishing gebruikt credential harvesting URLs), Download van malware via weaponized URLs, browser exploits via malicious websites, en business email compromise via phishing links. Geschatte costs van phishing success via URL: €25.000 - €250.000 per incident.

Management Samenvatting

Schakel in Safe Links voor emails EN Office apps (Word/Excel/PowerPoint). realtime URL scanning bij elke klik. Blokkeert phishing en malware URLs. URL rewriting voor time-of-click bescherming. Vereist Defender voor Office 365 P1/P2. Voldoet aan CIS 2.1.6 (L1), BIO 12.02, NIS2. Implementeeratie: 1 uur technisch + 3 uur user communication. KRITIEKE ANTI-PHISHING CONTROL.