Microsoft Safe Links Decoder
Reveal the original URL behind any Microsoft Safe Link — no clicking required.
Microsoft Safe Links Decoder
⚠️ Safety Tip: If you don’t fully trust the decoded link, you can safely analyze it using our Phishing Scanner Sandbox .
By using this tool, you agree to our Terms & Conditions and Privacy Policy
Microsoft Safe Links — Frequently Asked Questions
1. What are Microsoft Safe Links?▶
Microsoft Safe Links (part of Microsoft Defender for Office 365) rewrite URLs in email and Microsoft 365 apps. At click time, the rewritten link is checked for malicious behavior before the user is allowed through.
2. How do I decode a Microsoft Safe Link?▶
Paste the full Safe Link URL into the decoder above and click Decode. The tool extracts the url= parameter, URL-decodes it, and displays the original destination — without making any outbound connection to the target site.
3. What does safelinks.protection.outlook.com mean?▶
Any URL containing *.safelinks.protection.outlook.com or *.safelinks.office.com is a Microsoft Safe Link. Microsoft rewrites outbound URLs in Outlook and Microsoft 365 to this hostname so it can inspect the destination at click time. The original URL is embedded in the long query string as the url= parameter.
4. Why would I decode a Safe Link?▶
- See the true destination without clicking
- Speed up phishing triage and incident response
- Check reputation in a sandbox or SIEM
- Build allow/deny lists accurately
- Remove tracking parameters for cleaner logs
5. How do I recognize a Safe Link?▶
Look for hostnames like *.safelinks.protection.outlook.com or *.safelinks.office.com containing a long query string with url= — the encoded original link.
6. Is it safe to click decoded links?▶
No. Decoding is read-only. Always open suspicious targets in a sandbox or analysis VM, not on your primary workstation. We have a sandbox phishing checker that safely analyzes links for you.
7. Does decoding bypass Microsoft protection?▶
Partially. Decoding just reveals the url= value — your Safe Links policies still protect users at click time inside Microsoft 365. However, if you follow a decoded link directly in your browser (bypassing the safelinks.protection.outlook.com redirect), that click will not be inspected by Safe Links.
8. What parameters matter in a Safe Link?▶
url= is the original destination (URL-encoded). Others like data=, sdata=, h=, and reserved= are integrity and routing metadata used by Microsoft — they are not needed to decode the link.
9. Can decoding help with false positives?▶
Yes. Decoding lets you confirm the real destination, test direct access in a sandbox, and decide if a policy exception (do-not-rewrite) is justified.
10. Will decoding remove tracking parameters?▶
The decoder can optionally strip marketing/tracking parameters (e.g., UTM tags) for privacy and cleaner analytics — when appropriate.
11. When should I keep Safe Links rewriting enabled?▶
Nearly always. Time-of-click checks catch delayed activations and payload swaps that traditional filters may miss.
12. Can I whitelist trusted domains?▶
Yes, via a do-not-rewrite list in Defender for Office 365. Use it sparingly and review entries regularly.
13. Does this apply to Teams, SharePoint, and OneDrive links?▶
Yes. These services can also produce Safe Links, and the same decoding approach applies.
14. Safe Links vs. Microsoft Defender for Office 365 — what’s the difference?▶
Safe Links is one feature within Microsoft Defender for Office 365 (formerly ATP). Defender for Office 365 also includes Safe Attachments, anti-phishing policies, and threat intelligence. Safe Links specifically handles URL rewriting and time-of-click verification.