The University protects your Pitt email with two layers of automated security: Exchange Online Protection (the baseline included with every Microsoft 365 mailbox) and Microsoft Defender for Office 365 (an additional layer designed to catch advanced phishing, zero-day malware, and business email compromise). Together they evaluate every inbound message for impersonation and phishing indicators, re-check links at the moment you select them, detonate attachments in an isolated sandbox, and continue scanning for threats even after a message has been delivered. This article explains how each layer works, what you may notice in your mail, and what to do if a legitimate message gets caught.
How Pitt Protects Your Email
No single technology is sufficient to secure email — Pitt relies on a layered approach so that a threat which slips past one control is caught by the next. The two layers that operate on every Pitt inbox are summarized below.
Pitt's two layers of automated email protection, what each catches, and how it operates
| Layer |
What It Catches |
How It Operates |
| Exchange Online Protection |
Known spam, mass-distributed malware, and bulk phishing campaigns with established signatures |
Signature-based and reputation-based filtering at the mail gateway, before delivery |
| Defender for Office 365 |
Targeted phishing, impersonation and business email compromise, zero-day malware, and sophisticated attacks customized for the University |
Machine-learning models, impersonation analysis, time-of-click URL evaluation (Safe Links), sandbox detonation (Safe Attachments), and post-delivery threat removal (ZAP) |
Why a second layer is needed.
Signature-based filtering is effective against threats that have been seen before. Targeted attacks — including the sophisticated, multi-stage intrusions sometimes called
advanced persistent threats — are designed to evade signatures. Defender for Office 365 evaluates behavior, context, sender history, and the destination of every link, which is what makes the second layer worth having.
For details on the baseline filter, see Enterprise Spam and Virus Filter service.
Anti-Phishing and Impersonation Protection
The first thing Defender for Office 365 does to every inbound message is evaluate it against multiple machine-learning models trained to recognize phishing — well before any link or attachment is inspected. These models look for patterns that pure signature filtering cannot detect.
Anti-phishing checks Defender for Office 365 performs on every inbound message
| Check |
What It Looks For |
| User impersonation |
Messages whose display name resembles a protected person at Pitt (a senior leader, for example) but whose actual sender address does not match. A common business email compromise tactic. |
| Domain impersonation |
Sender domains that look like pitt.edu at a glance but are not — visually similar lookalikes, character substitutions, and freshly registered domains designed to be mistaken for legitimate ones. |
| Spoof detection |
Senders that fail SPF, DKIM, or DMARC alignment checks — modern email authentication standards that Defender uses to confirm a message actually originated from the domain it claims. |
| Mailbox intelligence |
Whether you typically correspond with this sender. A message from a brand-new sender carrying urgent or financial requests is treated with more suspicion than one from a frequent correspondent. |
When Defender's confidence is high, the message is quarantined or blocked outright. When the signals are mixed — strong enough to be suspicious but not strong enough to block — Defender delivers the message with an inline safety tip at the top.
Safety tips you may see in Outlook.
A yellow or red banner above a message — "This sender failed authentication checks," "You don't usually get email from this sender," or "This sender appears to be similar to someone you communicate with" — is Defender flagging something worth a second look. Don't dismiss these tips out of habit. They are most often correct, especially on messages that ask you to take an unusual action (wire a payment, change a direct deposit, buy gift cards, share credentials).
Safe Links
Safe Links provides time-of-click protection: the destination of every link in your mail is re-checked at the moment you select it, not just when the message arrived. This matters because a link that was clean at delivery can be weaponized hours or days later — a tactic attackers use specifically to evade pre-delivery scanning.
What You Will See
Links in your mail are rewritten so they begin with a Microsoft-hosted prefix, typically https://nam01.safelinks.protection.outlook.com (the regional code may vary — nam11, nam12, and similar are all legitimate). When you hover over a rewritten link in Outlook, the original destination is shown beneath it.
When you select a rewritten link, one of three things happens:
- The destination is safe. The original page opens in your browser. You may briefly see a Microsoft verification page during the check.
- The destination has been flagged as malicious. A full-page warning appears in your browser, identifying the URL as harmful and recommending you do not proceed.
- The destination is still being evaluated. You see a short progress page; if the analysis confirms the link is harmful, the warning appears.
Where Safe Links Operates
Safe Links protection is not limited to your Outlook inbox. It also evaluates links in:
- Microsoft Teams chats and channels — the same time-of-click scanning runs when you select a link sent over Teams.
- Office documents — Word, Excel, PowerPoint, and OneNote check links inside documents at the moment you select them, both on the desktop and on the web, when you are signed in with your Pitt account.
Plain-text email and forwarded messages.
When Safe Links rewrites a link in a plain-text message, the full rewritten URL appears in the body of the message instead of being hidden under display text. This can look like several lines of unreadable characters — it is expected and does not indicate a problem with the sender.
Safe Attachments
Safe Attachments protects against harmful files that signature-based antivirus cannot yet identify — the zero-day attachments that arrive before a malware signature exists. Each attachment is opened in an isolated virtual environment (a process Microsoft calls detonation) and its behavior is analyzed: what processes it starts, what files it touches, what network connections it attempts. The verdict drives delivery.
- Safe attachment: The message is delivered with the attachment intact.
- Harmful attachment: The message is blocked. Neither the attachment nor the surrounding message text is delivered to the recipient.
Expect a small delivery delay.
Sandbox analysis takes time — typically a few minutes per attachment on first inspection. If a colleague tells you they sent something and you haven't seen it yet, give it a few minutes before troubleshooting. An attachment that has already been analyzed and cleared once will not be re-detonated when it appears again, so subsequent deliveries are not delayed.
Beyond Email Attachments
The same sandbox protection extends to files shared through SharePoint, OneDrive, and Microsoft Teams. When a file in a Pitt SharePoint site, OneDrive library, or Teams channel is identified as malicious, Defender blocks the file and visually marks it so you do not accidentally open it. This means a file uploaded to OneDrive to bypass email scanning is still subject to scanning at the storage layer.
Zero-Hour Auto Purge (ZAP)
Defender's scanning does not stop at delivery. If a message is determined to be malicious or to contain a malicious link after it has already landed in inboxes — which happens when threat intelligence catches up to a new campaign — Defender automatically removes the message from every affected inbox across the University. This is called Zero-hour Auto Purge, or ZAP.
You may notice a message disappear.
If a message you remember seeing is no longer in your inbox a few hours later, ZAP is the most likely cause. The message has been moved to your Junk Email or Quarantine folder because it was retroactively flagged as phishing or malware. This is by design and protects you from acting on a message that was clean at delivery but became known-malicious afterward.
When Legitimate Mail Is Flagged
Defender for Office 365 uses machine-learning models, heuristics, impersonation analysis, and reputation signals in addition to signatures. The trade-off for that broader coverage is that occasional false positives occur — legitimate messages can be flagged as phishing or malware and either quarantined, removed by ZAP, or blocked outright. This is expected behavior for any modern email security stack, not a malfunction.
If you believe a legitimate message did not arrive, contact the Technology Help Desk. To investigate the message in the quarantine and message-trace tools, the Help Desk needs all four of the following details:
✉ Information to Include When Reporting a Missing Message
Without these four data points, the Help Desk cannot trace the message in Microsoft's logs or release it from quarantine.
|
1
|
Sender email address. The exact address the message was sent from, including the domain. |
|
2
|
Recipient email address. The Pitt address the message was sent to (your address, or the distribution list, or the shared mailbox). |
|
3
|
Date the message was sent. Approximate is acceptable, but a specific date narrows the search considerably. |
|
4
|
Subject of the missing message. Exact subject line if you know it; otherwise a close paraphrase from the sender. |
Note: If the sender received a non-delivery report (NDR), forward it along with your request — it contains diagnostic data that further narrows the search.
Reporting Phishing You Receive
No automated system catches everything. If a suspicious message reaches your inbox, report it — your reports help train the filters and protect colleagues who may receive the same campaign. Pitt supports three reporting methods, listed below in order of preference. Use the highest method available to you. See Phishing Emails: Don't Take the "Bait" for additional guidance on recognizing phishing.
|
✓ PREFERRED
KnowBe4 Phish Alert Button (PAB)
The PAB is the fastest and most reliable way to report a suspicious message. It is available in Outlook on Windows, Mac, the web, and mobile. One select reports the message directly to Pitt Digital Security, removes it from your inbox, and preserves the full message metadata needed for investigation. For step-by-step instructions, see Reporting Phishing Emails Using KnowBe4's Hybrid Phish Alert Button.
|
|
ALTERNATIVE
Microsoft's built-in Report button in Outlook
If the PAB is not available, use the built-in Report button on the Outlook ribbon (or in the three-dot menu on a message) and select Report Phishing. The button's exact location varies by Outlook version — see Microsoft's documentation on reporting phishing in Outlook.
|
|
LAST RESORT
Forward as an attachment to phish@pitt.edu
If neither of the above is available — for example, if you are not using Outlook — forward the suspicious message as an attachment to phish@pitt.edu. Forwarding as an attachment is what preserves the original headers and metadata Pitt Digital Security needs to investigate. Do not use this address for spam reports or general questions.
|
Do not use a standard forward.
A standard forward of a suspected phishing message to
phish@pitt.edu strips the headers needed for investigation and may trigger automated security actions on your account. Always report through the PAB or the Outlook Report button when possible, and forward only as an attachment when neither is available.
If you already selected a link or opened an attachment from a suspected phishing message, contact the Technology Help Desk immediately at
412-624-HELP (4357) and ask for Pitt Digital Security. Early reporting is what makes containment possible — report first, then run any cleanup steps the analyst recommends.
Frequently Asked Questions
Select a question to expand the answer.
Does Safe Links evaluate every link in every message?
Yes — Safe Links scans links in messages from both external and internal senders. It also scans links inside Office documents that arrive as attachments and links shared in Microsoft Teams chats and channels, when you are signed in with your Pitt account.
If I send the same attachment again, will Safe Attachments analyze it a second time?
No. Safe Attachments analyzes a given file only on first encounter. When the same file appears in subsequent messages, the prior verdict is reused and delivery is not delayed.
I need a recipient to view a file immediately and can't wait for sandbox analysis. What can I do?
Upload the file to OneDrive for Business and share a link. OneDrive sharing avoids the email-attachment sandbox delay and gives the recipient access immediately, while still keeping the file within Pitt's tenant. Note that files stored in OneDrive and SharePoint are themselves scanned by Defender for Office 365's protection for SharePoint, OneDrive, and Teams — so the file is still protected, just on a different timeline than an email attachment.
Why does the link in my mail look so long and unreadable?
That is the Safe Links rewritten form. Rewriting is what enables time-of-click protection — the link routes through Microsoft's scanning service so the destination can be re-checked at the moment you select it. In HTML mail (the typical case), the rewritten URL is hidden behind the original display text; in plain-text mail, the full rewritten URL appears in the body.
A message disappeared from my inbox a few hours after I received it. Was it deleted?
Most likely yes, by Zero-hour Auto Purge (ZAP). When threat intelligence retroactively identifies a delivered message as phishing or malware, Defender moves it to Junk Email or Quarantine automatically. Check those folders if you can no longer find a specific message. If you believe ZAP removed a legitimate message, contact the Help Desk with the four data points listed above.
Does this mean Microsoft is reading my email?
No. URLs and attachments are processed by automated scanning systems that look for malicious indicators. The content of your messages is not read by people, and the scanning is performed within Microsoft's commercial cloud under Pitt's tenant agreement. Safe Attachments analysis takes place in the same region where Pitt's Microsoft 365 data resides.
Key Contacts
Technology Help Desk 412-624-HELP (4357)
Missing messages, quarantine release, Safe Links and Safe Attachments questions |
Pitt Digital Security Via Help Desk
Suspected phishing, compromised account, link or attachment opened in error |