Information Services Division


Enhanced email security features

Safe Links and Safe Attachments are security features for email (live@UCL), OneDrive for Business, SharePoint and Teams to help protect staff and students from malicious content.

Safe Links - scanning web addresses in email and documents

Safe Links provides a time-of-click verification of web addresses sent within an email to an individual’s mailbox, within a document opened in OneDrive for Business, SharePoint and Teams, or a document opened within the Office Professional Plus software package.

What happens to the format of the link within the email?

Web addresses which have not been whitelisted at an organisational level will be rewritten to direct to Safe Links first, which will appear using the following address format:


If you have sent or received an email using HTML format, the text representing the link within the body of the email will still appear as the original (e.g. ‘Contact the ISD IT Services for more information’), but the link will redirect to Safe Links when clicked.

Web addresses which have been whitelisted are bypassed by Safe Links and remain the same format they are sent.

What happens when I click on a link?

When an individual clicks on a link, a series of checks are performed to determine whether the destination is safe:

  • If the original link has been whitelisted at an organisational level, the website will open.
  • If the original link has been blacklisted at an organisational level, a warning page will appear preventing access to the site.
  • If the original link has been determined to be malicious based upon Microsoft’s known blacklist, a warning page will appear preventing access to the site.
  • If the original link has been determined to be safe, the website will open.

The following examples demonstrate Safe Links in action:

Scan still in progress

Safe Links Scan In Progress example
The address is being scanned by Safe Links. You might have to wait a few moments to try the link again

Suspicious email message

Safe Links Suspicious email message example
The link is in an email message that seems similar to other email messages that are considered suspicious.

Phishing attempt

Safe Links phishing attempt example
The link is in an email message that has been identified as a phishing attack. As a result, all links in the email message are blocked.

Malicious site

Safe Links malicious site warning

The link points to a site that has been identified as malicious.

Blacklisted at an organisational level

Safe Links blacklisted warning
The link has been blocked at the organisational (UCL) level.

Safe attachments - scanning documents for malicious content

Safe Attachments provides an improved file scanning facility to detect malicious content in real-time as the item is received. When an email is sent with an attachment, the file is opened and tested in a virtual environment before the recipient receives it. If the attachment is determined to be malicious, it will be removed automatically. If the attachment is safe, it will remain attached and will open as expected.

Top queries

Can I opt-out of Safe Links/Safe Attachments?

Both Safe Links and Safe Attachments are mandatory for all accounts on the central UCL email service. No exceptions to this will be granted unless an individual can demonstrate that it is a reasonable adaptation for a disability they experience.

Staff and students can apply for a site to be whitelisted and exempt from checking.

How can I whitelist a web address?

If we trust the web address and service that it connects to, ISD can whitelist it at an organisational level. This means that all mail sent or received by UCL and documents handled in OneDrive for Business, SharePoint, Teams, or Office Pro Plus which contain the specified web address will not be rewritten and scanned for malicious content. If you would like to request this change, Contact the Information Security Group who will advise further.

The link has not been rewritten but should have been, why is that?

There could be two reasons:

1. Due to licensing constraints Safe Links will only rewrite links in your email when you have active student or staff status.

2. The web address may be whitelisted.

Do these features mean I can stop worrying about malicious emails as the system will catch them?

Both features will actively scan email sent and received (unless whitelisted) which contain links and attachments and will block them in three instances:

1. The links or attachments within the messages are known by Microsoft as being malicious.

2. The links or attachments within the messages have been blocked by ISD.

3. The links or attachments within the message are scanned and detected as malicious content.

Even with these measures in place, there may still be instances where malicious emails are not detected. We still advise users to be vigilant of the content sent to them and to contact IT Services if they are unsure.

The links appear longer than normal in the body of my email, why is that?

This can be caused by the message format of the email you have sent or received. If you use the Plain Text message format to send messages (or if you receive any messages sent using Plain Text), any links which contain web addresses that have not been whitelisted will be displayed as the full rewritten address. You can change the preferred format of messages you send to HTML per message, or for all future messages, within your mail program.