Magic links don’t work when Outlook “safe links” are enabled

Description

Outlook will rewrite email links to direct them towards https://*.safelinks.protection.outlook.com/ with the original url encoded as a query parameter, when a feature named “safe links” is enabled. In our testing, this appears to break magic links.

Steps to reproduce

Steps to reproduce the behavior:

  1. Create an email account on outlook.com
  2. Register a user with the @outlook.com (or @hotmail.com) email address
  3. Ask for a magic link to be delivered to the outlook email address
  4. Click the link

Additional context

The “safe-links” feature can be turned off (see the last screenshot). If we do, then the magic links work as expected.

We have two hypothesis as to what might be causing this:
a) The passwordless code is somehow distorted as it is URL path encoded and decoded by the safe-links mechanism.
b) The safe-links mechanism makes a GET request to the magic link, thus using the code and making it invalid for future requests.

2 Likes

I can confirm I had the same problem with some customers. I asked them to remove the SafeLink feature while they tried to login to my website but it feel a bit “hacky” to ask customers to remove security features.

1 Like

Yeah - especially when they work for Microsoft!

We’re had to send people from work emails to personal emails in the hope they don’t use Hotmail for personal use

Just created an account to share my solution to this problem when I encountered it. When the user clicks a link in an email, Outlook’s Safe Links accesses the url itself first using a HEAD request to determine if the website can be trusted, before then sending the user’s GET request. Our site uses django behind nginx as a reverse proxy, and uses magic links for new user authentication. The problem was that initial HEAD request caused the token contained in the URL to be checked, thus expiring it. The solution was to redirect any HEAD request to the activation url to the home page instead, or block any request to the activation url if it wasn’t specifically a GET request. We chose redirecting HEAD requests, as this allowed Outlook to verify that our site was safe, without expiring that token.

1 Like