Proofpoint URL Defense (URL rewrite)
- What is URL Defense?
- How does URL Defense work?
- What do rewritten URLs look like?
- Are all URLs sent in email rewritten?
- How long does URL Defense take to scan a website before sending me to the website?
- Do I need to be using a certain device or email client for URL Defense to work?
- What if the malicious actor changes the website after the email is delivered to me?
- What if a website I visited was identified as malicious and blocked by Proofpoint?
What is URL Defense?
Proofpoint is the University's email security gateway, providing additional malware, phishing, spam, and targeted attack protection. One of the security features provided by Proofpoint is called URL Defense. URL Defense works by rewriting URLs (web addresses and links) in emails as they pass through our Proofpoint gateway on their way to your inbox. By rewriting URLs, Proofpoint is able to send all “clicks” of a URL to an isolated sandbox and scan the destination website to ensure it’s safe before you visit.
How does URL Defense work?
Email-based attacks, especially phishing attacks, are often triggered when users click on malicious links (URLs) provided to them in email. Malicious actors often try to imitate the URLs of legitimate websites or hide malicious URLs behind shortened URLs to obfuscate the actual website users will visit upon clicking. The malicious website may closely resemble a login page the user is accustomed to in an attempt to fool even the most vigilant of users into logging in, thereby exposing their credentials and providing the malicious actor with an avenue into the user’s email or other systems. The malicious website may have been developed with the intent to exploit browser or OS vulnerabilities and infect the user’s device with ransomware, cryptojacks, or other malware. Once infected, malware often scans local networks, hunting for other devices vulnerable to infection - sometimes lying dormant on host devices for hours, days, or weeks to prevent detection - before initializing and executing its attack.
This all starts with clicking a link sent via email. URL Defense works by rewriting URLs before they reach your inbox. When a rewritten URL is clicked, URL Defense will open the destination website in a remote sandbox in order to safely scan the website before your visit. If a website is determined to be safe, URL Defense will seamlessly forward you along to the destination website. If the website is determined to be malicious, URL Defense will not send you to the website and will instead display a message to inform you that the site has been blocked and why.
What do rewritten URLs look like?
In the email body text, a rewritten URL will appear no different from when it was sent. However, when hovering over or inspecting URLs, you will notice that rewritten URLs begin with https://urldefense.com/… or https://urldefense.proofpointcom/… This is normal and is an indication that URL Defense will be used to scan the website before your visit.
Are all URLs sent in email rewritten?
No, the following URLs will not be rewritten:
- URLs sent internally (from @hawaii.edu to @hawaii.edu)
- URLs that link to known-safe domains or websites
- URLs that link to services provided by Proofpoint (proofpoint.com, pphosted.com, urldefense.com, urldefense.proofpoint.com)
How long does URL Defense take to scan a website before sending me to the website?
The process to sandbox and scan the website usually takes no longer than a few moments and the delay is often unnoticeable.
Do I need to be using a certain device or email client for URL Defense to work?
No, URL Defense is device and network-agnostic. URL Defense will work to protect you whether you are using Google@UH Gmail on the web, a mail client like Outlook or Thunderbird, or checking your email on your mobile device.
What if the malicious actor changes the website after the email is delivered to me?
“Delayed phishing” or “post-delivery weaponization” is a process where a malicious actor initially sends an email with a link that routes to a harmless website, then later weaponizes the link by redirecting to a malicious site or replacing the harmless website content with malicious content. This is effective in fooling some email protection methods that only scan websites upon email delivery, leaving users who view the email after the link has been weaponized vulnerable.
Conversely, URL Defense performs its scans of websites when a link is clicked by a user and thus is still effective in blocking delayed phishing attacks. Regardless of if or when a destination website changes, URL Defense will always scan the website you’re about to visit.
What if a website I visited was identified as malicious and blocked by Proofpoint?
If URL Defense identifies the website you’re about to visit as malicious it will send you to an informational page explaining that the website was blocked and why. You will not be directed to the destination website. Blocked pages are automatically reported for analysis and no further action is needed on your part.
