SMTP

Share

Is this article helpful?

Last updated:

Defend - Link Scanning Overview

By default, Defend rewrites all URLs and scan links at the time of receipt and click. URL rewriting allows Defend to perform the checks again at the time of click to protect against time-based attacks. Where Threat Actors will not activate a site for a period of time to make it seem to the security tools as "clean".

Scanning a URL

Defend scans a URL when an email is first received and every time the link is clicked.

Defend initially looks at five key things to determine if a particular link is safe:

  1. Linguistical analysis of the link, such as character obfuscation, mismatched TLD, and Punycode).
  2. Existing block list entries indicating known bad domains.
  3. Age of the domain or address and "Whois" lookups.
  4. The number of hops and locality of each hop taken to reach the end destination.
  5. Check the context of the URL for signs of organization impersonation, such as the use of protected language and entities like DHL, Amazon, and PayPal.

When a user clicks on a URL, Defend's link scanning will recheck it against blocklists and any redirects to protect against real-time attacks.

Link Rewriting versus Link Scanning​

URL Rewriting and Link Scanning are two distinct features in Defend that work together to enhance email security. The subsections below explain how they function.

Link Rewriting 

Link rewriting functions as follows:

  • When enabled, this feature modifies links in emails by redirecting them through the Defend portal.
  • For example, a link to google.com would be rewritten to appear as “links.[region].defend.egress.com/”.
  • This rewriting allows for additional security checks when the link is clicked.
  • Disabling link rewriting will mean that Defend does not modify the links in question. For example, a link to google.com will continue to link to google.com.

Link Scanning 

Link scanning functions as follows:

  • Disabling or enabling URL rewriting controls what checks we do when a user clicks on a rewritten link.
  • If link rewriting is enabled, the link is “followed” to find potential link redirects, and then scans them. This feature allows Defend to do a full suite of checks, including:
    • Linguistic and contextual analysis to identify potential risks
    • Scanning for threats utilizing techniques such as character obfuscation, suspicious domains, domain age, and potential impersonation
  • If link rewriting is disabled, the link is not “followed” or accessed by Defend but will still be scanned for potential threats, which include heuristic and blocklist checks.

Exceptions and Configurations 

Admins can configure exceptions for specific domains to:

  • Disable link rewriting.
    • When link rewriting is disabled for a domain, the original URL remains unchanged in the email.
  • Disable link scanning
    • When link scanning is disabled, Defend will not perform its usual security checks on that link.

One-Time Use Links 

Our link scanning breaks one-time use links, such as activation emails to register for an account. In some cases, users are given an error message stating that the link has already been used when Defend has rewritten a link. We recommend admins add a "URL Rewriting exception" entry for domains or services that use one-time links, which can be done in the Defend console.

What does Defend look for in attachments?

Defend does not rewrite the links inside attachments. We look at many components of the attachment to ascertain if the file is malicious. Defend will complete the following actions:

  • Scan the attachments for links.
  • Scan where those links go and if they're held on any blocklists.
  • Scan the link text for any coercive language.
  • Scan the URL itself for malicious information.
  • Scan the file name and file type for sensitive information or social engineering. 
  • Look for obfuscation of the file extension.
  • Scan for JavaScript.
  • Compare with known malware hashes.
  • Use Bit-defender for AV scanning.

URL Rewriting Exception List

An exception list entry can be created to avoid links being scanned or rewritten for a particular domain. This feature can also be activated to work on older URLs. If a link is deemed harmful and the continue button is disabled, admins can add the links to the rewriting exceptions. When the user then tries to navigate to the link, Defend will send them to the end destination.

URL Decoding

URL Decode subtab

A rewritten link can be decoded in the Defend console. Admins can then click on the decoded URL to navigate to the referenced site. The ability to rewrite URLs must be enabled in the console.

Rewritten Link Expiry

Any link Defend rewrites will continue to work indefinitely, even if the organization is no longer a Defend customer.

Was this article helpful?

1 out of 2 found this helpful

Can't find what you're looking for?

Contact Support