Bypassing Safe Links in Exchange Online Advanced Threat Protection

In this article I will go through my findings and analysis on the Safe Links feature of Microsoft’s Office 365 Exchange Online Advanced Threat Protection.

Essentially what Safe Links does is it rewrites all URLs in in-bound e-mails that pass through the Exchange Online Protection platform. So if you send an e-mail to an organization with Safe Links enabled then the e-mail will look like this (original):

The URL gets rewritten to look like this (passed through Safe Links):

Bypass Method 1

It is not uncommon for organizations to add their own domains to the Safe Links whitelist policy. This is done for one of many reasons… either you trust your own domains or you don’t want to inconvenience staff when sending documents internally imagine sending a .pdf on your corporate site to 1,000’s of staff – a significant portion would click the link and be presented with this page:

This bypass exploits the whitelisted domains in the Safe Links policy by using URL obfuscation techniques.

Imagine you have Example Ltd which owns the domain The administrators of have added the domain to the whitelist in their Safe Links policy such that e-mails containing the URL don’t get re-written by EOP.

Using a URL obfuscation technique like the below can trick EOP into thinking that the domain is whitelisted when in fact it isn’t:

As you can see, simply obfuscating the URL by posting bogus credentials tricks Safe Links in to thinking that the domain is instead of

Another obfuscation technique is:

Here the advanced threat protection isn’t checking the entire domain – instead it is tricked by a basic obfuscation technique of inserting the white-listed domain as a subdomain of the malicious domain.

Bypass Method 2

With this technique, an attacker could simply block or re-direct requests from the Exchange Online Protection infrastructure – yup, it’s as simple as that. It’s less of a vulnerability and more of a non-ideal configuration.

Helpfully, Microsoft makes the EOP IP ranges available online so all you need to do is block those ranges on your webserver with some .htaccess rules.

Even if the IP ranges weren’t available online, the EOP requests contain absolutely no headers which makes it very easy to distinguish EOP traffic and genuine traffic.

This is what genuine traffic looks like (notice the browser headers are present):

This is what EOP requests look like (notice how no headers are sent so easy to distinguish from legitimate traffic):


  • 15/01/2017 – First reported
  • 20/01/2017 – I requested an update
  • 01/02/2017 – I requested an update
  • 07/01/2017 – MSRC claimed a ‘bug’ caused my replies to be missed. MSRC asked for some further clarifications which I addressed
  • 15/02/2017 – I requested an update
  • 23/02/2017 – I notified MSRC that I will be publishing this article on the 27th
  • 24/02/2017 – I was asked to delay the publishing of this post and notified that a new MSRC case was created
  • 15/03/2017 – MSRC advised that the issue doesn’t “meet the security servicing bug bar” and that they are closing the case
  • 16/03/2017 – Published

Office 365 Quarantine Tool

If you find yourself using the Office 365 (Exchange Online) e-mail quarantine often then you probably know how frustrating and slow it can be to quickly find and release quarantined items. Often times you’ll find yourself waiting for a few minutes only to realise it’s not doing anything. Then you have to refresh the page and re-enter your search criteria. The fact you can’t even wildcard searches is also unforgivable (it’s 2016 Microsoft, why can we not wildcard search the subject and sender fields?!)

This annoyance coupled with my eagerness to play with PowerShell led me to develop a quick and dirty quarantine tool or viewer if you like. The tool is quite basic but it will let you do the following:

  • Wildcard search the subject and sender fields
  • Configure the number of results to return
  • Release a message based on message ID

2016-06-07 20_17_07-Office 365 Quarantine Tool v012016-06-07 20_19_19-Office 365 Quarantine Tool v01
If you want to have a play with the tool, it’s on my GitHub along with the source code if you feel like suggesting some improvements.

Creating Office 365 Mailboxes in a Hybrid Setup

In this article I will show you how to create Exchange Online mailboxes in a hybrid environment such that the maiboxes also show up on the on-premises Exchange server management console.

The most logical way of creating an Exchange Online mailbox (you’d think) is to let AD users DirSync across to 365, assign them licenses and be done with it. However doing it this way doesn’t create a link between Exchange Online and your On-Premises Exchange server which means you can’t do things like manage the user’s mailbox from EMC or migrate the mailbox between on-premises and Exchange Online.

Continue reading Creating Office 365 Mailboxes in a Hybrid Setup

Bulk Licensing Office 365 Users with PowerShell

Licensing Office 365 users manually can be a tedious task; especially if you are tasked with licensing hundreds or even thousands (think educational institutes that need to license user’s every semester or academic year).

I created a fairly basic script that will take a .CSV input and license your users according to your Office 365 environment and the licenses you have available.

Continue reading Bulk Licensing Office 365 Users with PowerShell

Can you Move from an Office 365 Enterprise Plan to a Midsize Business Plan?

The short answer is, yes.
The long answer is that it will require a lot of work on your behalf.

The new Office 365 midsize business plan is very similar to the E3 plan (bar some advanced features which most users probably won’t need anyway) without the more expensive price tag attached to it; for UK users this is £9.80 per user per month as compared to £15 per user per month… if you have a lot of users the cost adds up very quickly.

Continue reading Can you Move from an Office 365 Enterprise Plan to a Midsize Business Plan?

Setting Office 365 User Passwords to Never Expire

The default policy for Office 365 user accounts is to automatically expire their passwords after 90 days.

Some of our users experienced this today and the most annoying thing about it was that they were not warned beforehand about it. They were simply locked out their account until they changed it there and then; unlike the Windows OS counterpart which gives you a comfortable 15 day warning before forcing you to change your password.

Anyway, this article will tell you how to set the password expiry from 90 days to never.
Office 365 already enforces a strong password policy BUT I do not recommend you change this setting if your users often use public terminals or are prone to writing their passwords on sticky notes and keeping them under their keyboards 🙂

Continue reading Setting Office 365 User Passwords to Never Expire

Archiving a User’s Mailbox on Office 365

So an employee has left the company and you now need to archive the mailbox due to legal and/or company policies.
This article will give you a quick overview on how you can achieve this goal on an Office 365 mailbox while maintaining the integrity and security of your organisation’s 365 account.
Although not necessary, I recommend (as a pre-requisite) disabling account ‘sign-in’ capabilities and resetting the user account password.
This will prevent the user from logging in to the account and messing around with it whilst you are attempting to archive their mailbox.

Continue reading Archiving a User’s Mailbox on Office 365