Prevent Microsoft Defender for Office 365 from Rewriting KnowBe4 Phishing Links

Microsoft Defender for Office 365 feature may cause URLs from our Phishing Security Tests (PSTs) to be rewritten. If you would like, you have the option to exclude these URLs from being rewritten.

If you're looking for information about whitelisting in Microsoft Defender for Office, see our How to Use Advanced Delivery Policies in Microsoft Defender for Office article.

Important:If you aren't excluding any other URLs from being rewritten, exempting only KnowBe4's phish links may help your users identify the links as red flags more easily. Without being rewritten, the URLs may be easier to identify as part of a PST.

To exclude our phish links from being rewritten, follow the steps below:

  1. Log in to your KSAT console.
  2. Navigate to the Phishing tab, then select the Domains subtab. This subtab will display a list of our root phish link domains. For more information, see our How to Manage Phish Link Domains article.
    Note:If you don't have access to this subtab, you can contact our support team for a list of phish link domains.
  3. In a separate browser window or tab, log in to the Microsoft 365 Defender portal (
  4. Navigate to Email & collaborationPolicies & rules. Policies & rules
  5. Click Threat policies.
  6. Click Safe Links to be taken to the Safe links page. Safe Links option
  7. Select the Link Policy that you created. If you don't have a Link Policy, you'll need to create a new policy by clicking the Create button.
  8. Click Edit protection settings. If you're creating a new policy, navigate to the URL & click protection settings step. Edit protection settings
  9. Under Do not rewrite the following URLs in email, click Manage URLs.   Manage URLs option
  10. Click + Add URLs.
  11. Enter the root domains from your KSAT console. To add the URL, press Enter on your keyboard. 
    Important:Make sure to add each phishing domain using the *.<rootdomain>/* format. For example, if the root domain is "," you would enter ** into the field.
  12. Once you've entered all of the root domains, click Save.
  13. Click Done.
Note: If phish links are still being rewritten after following the steps above, you may need to disable the Office 365 Apps Safe Links setting. To disable this setting, clear the check box next to On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.

Can't find what you're looking for?

Contact Support