The Problem With Microsoft's Safelinks

The Problem With Microsoft's Safelinks

Free stuff can be pretty cool... except if it comes from Christmas crackers, cereal boxes, or, in this case, Microsoft. For a rather long time I've been using an outlook.com email address (it's hosted on Microsoft Exchange so you get the features of Exchange for free). It's served me very well and a while back I came across Outlook Premium. It used to be a standalone thing that I couldn't realistic see anyone paying for. I'm guessing Microsoft realised the same because they have recently rolled it into their Office 365 subscriptions (okay, not exactly free but no extra cost).

So, yay? Now I've got no ads when accessing the webmail outlook.com, "Premium customer support", and "Advanced protection against phishing and malware". Ads were never a problem because I use the Outlook desktop and phone apps (same would apply to thunderbird and other email clients) or alternatively you could use an ad blocker (ethics debate aside). I've never had to contact their customer support for my email (so don't see how "Premium" makes a difference) - well, not until now.

In case you've never met me or haven't read any of my other posts I'm quite a fan of security. So you'd think the "Advanced protection against phishing and malware" feature would appeal to me. Unfortunately, in this case I couldn't be any less of a fan. According to Microsoft's help article on these security features the "Advanced protection" (known as ATP or Advanced Threat Protection in Microsoft's enterprise language) provides the following features:

Attachments: When you receive messages with attachments, Outlook.com scans the attachments for viruses and malware using advanced detection techniques that provide a higher level of protection than the free version of Outlook.com. If Outlook.com detects a dangerous file, it will be removed so you don’t accidentally open it.

Links: When you receive messages with links to web pages, Outlook.com checks whether the links are related to phishing scams or are likely to download viruses or malware onto your computer. If you click a link that is suspicious, you will be redirected to a warning page like the one below.

The attachment side of things seems okay to me and as far as the end user can tell it functions the same as any other attachment scanner. It's the so called safe links side of things that really annoys me. They basically replace EVERY link in your emails with: https://<regionid>.safelinks.protection.outlook.com then a couple hundred characters other information. It results in plain text emails going from this:

Hi Owen!

Check out https://owennelson.co.uk!

Regards,

Owen

To this:

safelinksdemo-1

Now, how lovely, pretty, and easily interpretable is that, eh? Sadly, it's not just the aesthetics I have issue with. I'll start with...

1) Security

Ever given or received advice to look at links before you click them? You'd normally do this by hovering over it and looking at the actual link (emails using the HTML format (the same format as websites) can have the link text display something different than the link itself. Useful for instances such as "click here" text or owennelson.co.uk where for aesthetics you don't want the entire link showing.

Malicious emails often use this to show, say, a bank such as hsbc.co.uk when it actually goes to something like a phishing page - which is why you should always check. Wait a second... if Microsoft is replacing all the links, how am I going to do this now? Checking the actual link shows this:

safelinksdemohovertext

So that's all the "check the link" training gone out the window and even better, now we have to trust that Microsoft gets it right. Let's hope they didn't miss a malicious site or block a legitimate one. Yes, it's still possible to get an idea of what the link is going to do. Problem is, I spend a LOT of time parsing through complicated log files and I find these safe links difficult and time consuming to check - there's no way someone like one of my grandparents is going to... Well, let's be honest, virtually no one is going to.

2) Privacy

As you may or may not know, any request to a website (including things like images) can be and usually is logged. By rewriting every link Microsoft is allowing themselves to gain vast insights into what people are doing. On their ATP product page, they have the following statement:

Get rich reporting and track links in messages
Gain critical insights into who is being targeted in your organization and the category of attacks you are facing. Reporting and message trace allow you to investigate messages that have been blocked due to unknown viruses or malware, while URL trace capability allows you to track individual malicious links in the messages that have been clicked.

This statement is accompanied with the following image:

Image_RichReporting_713x325

Yes, that's right. Exchange server (Microsoft's email server) administrators, in this case Microsoft, can view who clicked what link and when. Previously, from a technical standpoint they could access your emails and see if you've read them but not what links you've clicked but now they can. (Even if you trust Microsoft, imagine a data breach that shows you clicked on 100 links in various "medicinal" emails - Yes, an unlikely but now possible scenario).

3) "Link rot"

There's a problem with storing links in any format, the website can change or vanish but the link won't. If Microsoft decide to stop redirecting the links after X number of days or all together, change the pattern they use, or anything else like this then your emails will all contain broken links. Needless to say, that could well be a massive problem. You'd also have no way to revert them to their original form.

If you're anything like me or pretty much any other email account owner then you use your emails for record keeping/archiving. Imagine looking back some time in the near or distant future only to find that none of the links work. I think the word "nightmare" would be a jolly good non-offensive choice of word to use here.

4) Usability

So you've got the ugliness of these links in your mailbox to contend with but what happens when you reply to an email or forward it? You guessed it, the links stay as safe links (coincidentally, anyone who clicks them will be recorded as you clicking them, it just keeps getting better, doesn't it?).

I've had a problem the past few days where if I reply to any emails from any of the mailing lists I'm subscribed to then I'll be converting everything to safe links. Permanently leaving them that way for anyone else replying to the chain. It's ugly, difficult to decipher and frankly, annoying. It's made even worse by the fact that these lists are usually plain text. Also, there's the problem of finding a link you know is in an email: "Ah, yes, there's a link to that in this email somewhere, I'll just go find it, it was owennelson.co.uk/ something... Oh wait. I can't see what each goes to."

Something else that's worth mentioning is those people who have ridiculously complicated email signatures... They will suddenly become a lot more ridiculous - same for any link bearing plain text emails.

What about if you want to copy a link from an email into a word document, website, or somewhere else? You right click it, copy and... Oh, you've copied the safe link. I've seen several cases where this has been done on forums (side note: it also discloses their email address as it's part of the URL).

5) It's futile

I could keep complaining about this for quite a while yet (sorry). If an email is digitally signed then Microsoft can't alter it without destroying the message's integrity so they leave them alone (digitally signed phishing/spam emails anyone?).

Even if people do still check links (despite this safe links thing effectively training them not to) then how long will it be before there's phishing emails using complicated URLs that mimic the look of a safe link?

On the upside, if this gets bad enough then maybe people move away from email favouring some other messaging system effectively solving the email's phishing/spam problem. Jolly good, eh?

What can I do about it?

Yesterday, after putting up with these links for a couple of weeks I decided to see if I could do something about it. I thought about it for a second before realising that it probably had something to do with the Outlook Premium nonsense and went to check. This was when I discovered that it was now active on my account as I use Office 365. Well, seeing as I now have Outlook Premium I better try out this Premium customer support, right?

So, I navigated to the help section on Outlook Web App (Exchange server name for webmail). Interestingly, I couldn't fine anyway to actually send a message on the beta version though admittedly, I didn't look for too long.

outlookowahelp

I sent a very quick and simple message:

Hi,

I really dislike the safe links feature that has been enabled on my account.
Please can it be disabled?

Thanks,
Owen

~15 hours later I received a reply.

outlookreply

I can safely say I'm not all too pleased with this response. Maybe I should have worded my message from a bit more of an IT perspective or even written this article and sent them a link...

To summarise, Outlook.com has enabled these features for everyone with an Office 365 subscription linked to their account with no option to opt out (even by contacting them) which I believe would be very easy to do from a technical standpoint. On the upside, they're "working on it" though I can't see how they can improve the look of the links much whilst still MiTM-ing (Man-in-The-Middle) them.

I'm generally supportive of things Microsoft do even in the cases of the more controversial ones but in this instance, I couldn't be any more against it. I hope Microsoft provide a way to opt-out very soon but for now I'm not sure what I'm going to do.

UPDATE 01/02/2018:

Good news! I had another look at getting this disabled as I hoped Microsoft would have come to their senses now and Microsoft's help page has been updated to include the following:

disableATPMSHA

So I fired off an email to them and received this:

outlookATPReply

Yes, it's a great example of a canned response and I strongly object to the way they're portraying these features. "... these features are on by default and not designed to be turned off." No, they are enabled automatically for people who use Office 365 - AKA it's toggleable. It's the exact same toggleable features businesses can turn on and off with a single button press. Anyway, thankfully I no longer have it enabled on my account.

Short link: on-te.ch/osl

Owen Nelson

Owen Nelson

https://owennelson.co.uk

IT Systems Administrator from Northamptonshire, UK. Always on the lookout for ways to make things faster and more secure - and I enjoy getting through a fair bit of Tea along the way.

View Comments