Microsoft Defender for Office 365 Safe Links Bypass

In my previous blog post, I mentioned you need a URL shortener instead of the Azure Function URL to send to a mailbox to identify Microsoft Defender for Office 365 Safe Links. The reason to use a shortener is that using the direct Function App URL bypasses Microsoft Defender for Office 365 Safe Links active scanning. This blog post will briefly explain how this bypass works and how an attacker can use it to their advantage.

As a reminder, here is the flow used to identify Microsoft Defender for Office 365 Safe Links.

Image 1: Flow to detect Microsoft Defender for Office 365 Safe Links

To my surprise, when sending the Function App URL, Microsoft Defender for Office 365 Safe Links does not actively scan the URL. So I was thinking, what if I create a URL forwarder using the Function App forwarding the user to a malicious website? Does it “bypass” the active scanning using Microsoft Defender for Office 365 Safe Links?

After some testing, I was surprised Microsoft Defender for Office 365 Safe Links is not actively scanning the URL. Here is the code for the forwarder using an Azure Function App.

#r "Newtonsoft.Json"
 
using Microsoft.AspNetCore.Mvc;
 
public static IActionResult Run(HttpRequest req, ILogger log)
{
    return new RedirectResult("https://malicious.com", true);
}

So sending the Function App URL using a phishing e-mail redirects the user to a malicious website and bypasses Microsoft Defender for Office 365 Safe Links active scanning.

Conclusion

Microsoft Defender for Office 365 is a product that is hard to bypass, mainly because it can be a black box. When using this bypass, layered security should stop a user from visiting malicious websites, like enabling Smartscreen, so using layered security is always a good idea.