Situation |
URL Defense will defend against malicious and potentially harmful URL’s contained within emails.
|
---|---|
Solution |
URL defense feature has some exception that can be configure according to customer needs. Make sure after you enable Attachment Defense which exceptions you want to add into customers.
|
URL Defense and DKIM signature
By default URL Defense will re-write URLs that are located in DKIM signed emails. This will provide needed security for URLs, but will break the DKIM signature in these emails. To use URL Defense for unsigned emails and preserve DKIM signing for signed emails, you will need to disable this setting.
- Login with your admin credentials into Proofpoint Dashboard.
- Under Security Settings, click on Malicious Content tab.
- Under Malicious Content, click on URL Defense tab.
- Check the box: Re-write URLs that are located in DKIM signed messages.
URL Defense Exceptions
URL Defense can be configured so that it doesn't have to re-write all links in emails.
- Re-write URLs that are not located in an anchor tag
- This will re-write URL’s that are not included in an anchor tag
- Example: not included in <a href="proofpoint.com”></a>
- Exclude URLs that contain specified domains/IP addresses:
- URL’s will not be re-written that contain the specified Domains listed/IP address’s
- Enter your domain list separated by line, comma or semi-colon
- Exclude active domains associated with this organization:
- This will exclude re-writing URL’s from emails from domains associated with the organization's account
- Check the box to enable this option
- Exclude re-writing emails that are sent by specified senders:
- This will not re-write URL’s that have specified senders/domains listed
- Enter your domain list separated by line, comma or semi-colon
- Exclude re-writing bare IP addresses in plain text emails:
- This will not re-write bare IP address’s in plain text emails
- Check the box to enable this option
- Exclude re-writing URLs in plain text emails:
- This will not re-write URLs contained in plain text emails
- Check the box to enable this option
Info: Case condition re-writes
For the above, please ensure to note the considerations here:
Text has hyperlink - entire URL is re-written
Text URL matches hyperlink - entire is re-written
Text URL does not match hyperlink - original hyperlink is missing, text URL is re-written and given as new hyperlink.
Solution to last scenario - Need to exempt the sender or base URL
Reading A Defended URL
EXAMPLE
- Original URL:
Original URL: http://www.google.com
- Defended URL:
Defended URL: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.google.com&d=DwMBaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=U7dT0lFTeyLPTT18j4jTT-QA0_6S0SNyKKRkIm_J6m0&m=phBCMPbh8b9Q8KZOis22AQ2dvsY8EX3owRM-4hZtz1o&s=tyrC6QslpNIWXiCLUXJEbjm0oo5vBoSwGrVYEhO1xBw&e=
All fields except the URL are encrypted. The information embedded in the URL is as follows:
- u – the original URL
- d – a set of debug flags
- c – a PPS cluster ID
- r – the recipient of the message
- m – a message identifier
- s – a digital signature to prevent tampering
- e – a blank parameter to signify the end of the rewritten URL
Warning When Malicious URL Is Clicked
Info: Blocked URL link change
When you visit a URL and see the site below, the URL itself changes. If you are contacting support in regards to a false positive on the URL, we require the original link from the email, not the one currently in your browser address bar.
Carlos Rios
Comments