CMMC Level 2 Safe Links and Safe Attachments Baseline

A single email click can undo months of compliance work. When I review Microsoft 365 tenants for CMMC Level 2, I often find email protection half-set, poorly scoped, or hard to prove during an assessment.

That is why I treat a CMMC Safe Links baseline and a matching Safe Attachments policy as core controls for any enclave that stores, processes, or transmits CUI. The goal is clear, block bad links, stop risky files, and keep proof that an assessor can verify.

What the baseline has to prove

CMMC Level 2 does not require the product names “Safe Links” or “Safe Attachments.” It does require protection against malicious code, support for system integrity, and records that show controls are active and managed. In Microsoft 365, these Defender for Office 365 features fit that need well, as long as I configure them with intent and not as default leftovers.

I usually cross-check the tenant against Microsoft’s CMMC 2.0 technical reference guide and the broader Microsoft Learn overview of CMMC support. Those references do not hand me a one-click baseline, but they help me map Microsoft controls to the CMMC story I need to tell.

My starting point is scope. I identify every mailbox that handles CUI, every shared mailbox that receives vendor files, and every admin account that could become a phishing target. Then I confirm which Defender for Office 365 features are available in that tenant, because licensing can change the options. After that, I validate the baseline against the enclave’s risk profile. A research team, a manufacturing shop, and a small contractor all use email, but they do not all need the same exceptions or response path.

I also want the control to be assessor-ready on day one. That means policy screenshots, exported settings, admin audit logs, change records, and a short written statement that explains who owns the policies and how often they are reviewed. If I cannot show that package quickly, I assume the control is not ready.

Safe Links baseline recommendations in Defender for Office 365

Safe Links matters because phishing rarely arrives with an obvious warning label. Attackers hide behind shortened URLs, trusted cloud services, or newly compromised sites. A strong Safe Links baseline checks the destination when the user clicks, which is often the only moment that matters.

For most Level 2 environments, I start with a policy that covers every user and shared mailbox inside the enclave. Then I add a second, tighter policy for admins, executives, finance staff, and anyone who approves payments or handles external file exchange. Preset protections can help at the start, but I still document every custom change.

This is the baseline I recommend as a starting point:

| Setting | Baseline recommendation | Why it matters | Evidence to keep | | | | | | | Policy scope | Apply to all enclave users, shared mailboxes, and privileged accounts | Stops obvious coverage gaps | Policy assignment screenshot, group membership export | | Safe Links for email | Enabled | Rewrites and checks links at click time | Policy screenshot | | User click-through | Disabled for blocked links | Users cannot bypass the control | Policy screenshot, help desk article | | Internal email coverage | Enabled for in-scope users | Compromised internal accounts can still phish users | Policy screenshot, test result | | Click tracking and reporting | Enabled | Builds an audit trail for review and incident response | Alert sample, Defender report export | | URL exclusions | Keep minimal and time-bound | Reduces blind spots | Exception log, approval record |

The biggest mistake I see is allowing click-through after a warning page. That turns a blocking control into a suggestion.

If users can open the original URL after a block page, the control is advisory, not protective.

I also keep exclusions rare. If a business app breaks because of URL rewriting, I document the affected service, the compensating control, the approver, and the expiration date. That matters during a CMMC review, because exceptions without owners tend to live forever.

If the tenant uses Office apps or Teams inside the same boundary, I extend Safe Links there too, but only after I confirm feature support and licensing. That is where a CMMC Safe Links baseline becomes a real baseline, not a narrow email-only patch.

Safe Attachments settings that hold up under review

Safe Attachments deals with a different problem. Links lure users away, while files bring the threat inside. One bad attachment can plant malware, steal tokens, or open a path to CUI. Because of that, I treat Safe Attachments as a control that protects both users and the systems behind them.

For most CUI mailboxes, I prefer Dynamic Delivery as the default action. It lets the message body arrive while the attachment stays unavailable until scanning is complete. Users can read the note, but they cannot open the file until Microsoft finishes the check. That usually balances risk reduction and mail flow better than a loose monitor-only posture.

I move to Block for higher-risk groups, sensitive workflows, or tenants with a history of malware attempts. The right answer depends on the enclave, the volume of external attachments, and how quickly the support team can handle quarantine events. That is why I validate the baseline against the tenant’s risk profile instead of copying a template.

A workable Safe Attachments baseline usually includes these choices in practice. The policy covers all mailboxes in scope, including shared addresses that receive bids, contracts, or supplier documents. Quarantine handling has a named owner. Review steps are written down. Most importantly, collaboration workloads such as SharePoint, OneDrive, and Teams get the same treatment if they sit inside the same protected boundary and the licensing supports it.

One more point matters during CMMC preparation. Password-protected archives and encrypted files can limit inspection. I do not ignore that gap. I document a separate process for those files, such as approved secure transfer methods, manual review, or a trusted sender workflow with extra validation. That exception handling often matters as much as the policy itself.

I also keep proof that the control works. Controlled tests, screenshots of blocked files, quarantine records, and change tickets all help. If I can show a clean history of detections, reviews, and policy updates, the control is easier to defend.

The evidence package assessors and clients want to see

A solid baseline protects users, but a documented baseline protects the assessment. I like a small evidence folder that any compliance lead, internal auditor, or MSP manager can open without a scavenger hunt.

I usually keep these artifacts together:

• Screenshots of Safe Links and Safe Attachments policies, including scope and action settings.
• Exports or reports that show policy names, priorities, and assigned groups.
• Audit logs that show who changed a setting, when it changed, and why.
• Change records with approval, testing notes, and rollback details.
• An exception register with owner, reason, compensating control, and expiration date.
• Samples of detections, quarantine actions, or incident tickets tied to the policy.

That record set is even more useful in small teams. I see this often in Small Business IT environments that are juggling Cloud Infrastructure, Office 365 Migration, and older Data Center Technology at the same time. Some businesses also need Restaurant POS Support and Kitchen Technology Solutions, which means the same staff may support front-of-house devices and back-office email. In that setting, Cybersecurity Services cannot stop at filtering spam. I tie email controls to Endpoint Security, Device Hardening, Cloud Management, and Business Continuity & Security so the security story stays consistent.

That is also where a true Business Technology Partner earns trust. Good Technology Consulting links email controls to Infrastructure Optimization, Secure Cloud Architecture, and Tailored Technology Services that fit the client, not a canned template. For teams pushing Digital Transformation, looking for Innovative IT Solutions, or buying Managed IT for Small Business, I keep the focus on clear policy ownership and a simple IT Strategy for SMBs. If the team cannot support the control after go-live, the baseline will drift.

When I need current mapping language from Microsoft, I also review the September 2024 Microsoft CMMC Level 2 preview guide. It helps me align evidence language with the platform that is actually in the tenant today.

Conclusion

I do not treat Safe Links and Safe Attachments as optional add-ons in a Level 2 environment. They are practical controls that reduce phishing and malware risk while giving me the proof an assessor expects to see.

The best baseline is not the most complicated one. It is the one that covers the full enclave, matches the tenant’s licensing and risk profile, and leaves behind clean evidence, screenshots, policies, change records, and exceptions with owners. When that work is in place, email stops being the weakest door into CUI.