How to prevent Microsoft Defender from rewriting phishing links URL?
This guide applies only to Microsoft Defender for Office 365 Plan 2. If you're using Plan 1, the Safe Links policy settings mentioned below will not be available. Instead, you will need to configure exclusions using Exchange Transport Rules.
Microsoft Defender for Office 365 Plan 2 can modify URLs in emails by rewriting them for security scanning. This can affect the URLs used in Arsen Phishing Simulation tests, potentially impacting your training experience. We recommend you to configure Microsoft Defender to exclude Arsen’s phishing simulation URLs from Safe Links rewriting.
If Safe Links is enabled, phishing simulation links will be rewritten, making them harder to recognize during testing. By excluding only Arsen’s URLs (and no others), your users may more easily identify phishing links as suspicious, reinforcing their security awareness training.
Log in to your Arsen admin console.
Go to the Organization Settings and click Phishing Domains
Export the phishing domain list by clicking the download button.
If you don’t have direct access to this list, contact our support for assistance.
Log in to the Microsoft 365 Defender portal
Navigate to the Safe Links Policy Settings
In the left-hand menu, go to Email & Collaboration > Policies & rules. Click Threat policies and select Safe Links from the list under "Policies".
If "Safe Links" is not listed, your organization is using Plan 1 instead of Plan 2. In this case, you will need to use Exchange Transport Rules to bypass Safe Links instead. Note that if you just purchased the Microsoft Defender for Outlook 365 Plan 2 license, it might take up to 24 hours to fully propagate to your Microsoft Defender account.
Edit an Existing Safe Links Policy (or Create a new one)
Use an existing Safe Links Policy (if any). If you don’t have a custom policy yet, click Create and follow the steps to configure a new one, you can give it a name such as "*Prevent URL Rewrite for Arsen Phishing Simulations*".
Modify Safe Links Rewriting Settings
Locate the section "Do not rewrite the following URLs in email." and click Manage X URLs to add exceptions.
Add Arsen’s Phishing Simulation Domains
Click + Add URLs and enter each phishing domain from Step 1 of this guide using the wildcard format:
If you are using any Custom Phishing Domain (add link), don't forget to add them too to this list to avoid URL rewriting.
Press Enter after adding each domain.
Save and Apply Changes
Click Save to confirm your changes and click Done to exit the settings menu.
Excluding phishing simulation URLs from Safe Links does not affect real-world phishing protection.
Be careful not to exclude legitimate phishing threats—only add the URLs provided by Arsen.
If you need assistance, reach out to Arsen Support for guidance on best practices.
Microsoft Defender for Office 365 Plan 2 can modify URLs in emails by rewriting them for security scanning. This can affect the URLs used in Arsen Phishing Simulation tests, potentially impacting your training experience. We recommend you to configure Microsoft Defender to exclude Arsen’s phishing simulation URLs from Safe Links rewriting.
Why Exclude Arsen’s URLs?
If Safe Links is enabled, phishing simulation links will be rewritten, making them harder to recognize during testing. By excluding only Arsen’s URLs (and no others), your users may more easily identify phishing links as suspicious, reinforcing their security awareness training.
Steps to Exclude Arsen's Phishing Simulation URLs from Safe Links
Step 1: Retrieve the List of Arsen’s Phishing Domains
Log in to your Arsen admin console.
Go to the Organization Settings and click Phishing Domains
Export the phishing domain list by clicking the download button.
If you don’t have direct access to this list, contact our support for assistance.
Step 2: Configure Microsoft Defender to Exclude Arsen’s URLs
Log in to the Microsoft 365 Defender portal
Navigate to the Safe Links Policy Settings
In the left-hand menu, go to Email & Collaboration > Policies & rules. Click Threat policies and select Safe Links from the list under "Policies".
If "Safe Links" is not listed, your organization is using Plan 1 instead of Plan 2. In this case, you will need to use Exchange Transport Rules to bypass Safe Links instead. Note that if you just purchased the Microsoft Defender for Outlook 365 Plan 2 license, it might take up to 24 hours to fully propagate to your Microsoft Defender account.
Edit an Existing Safe Links Policy (or Create a new one)
Use an existing Safe Links Policy (if any). If you don’t have a custom policy yet, click Create and follow the steps to configure a new one, you can give it a name such as "*Prevent URL Rewrite for Arsen Phishing Simulations*".
Modify Safe Links Rewriting Settings
Locate the section "Do not rewrite the following URLs in email." and click Manage X URLs to add exceptions.
Add Arsen’s Phishing Simulation Domains
Click + Add URLs and enter each phishing domain from Step 1 of this guide using the wildcard format:
*.domain.com/*If you are using any Custom Phishing Domain (add link), don't forget to add them too to this list to avoid URL rewriting.
Press Enter after adding each domain.
Save and Apply Changes
Click Save to confirm your changes and click Done to exit the settings menu.
Final Notes
Excluding phishing simulation URLs from Safe Links does not affect real-world phishing protection.
Be careful not to exclude legitimate phishing threats—only add the URLs provided by Arsen.
If you need assistance, reach out to Arsen Support for guidance on best practices.
Updated on: 24/03/2025
Thank you!