Proofpoint - URL Defense

Overview

One of the features provided by Proofpoint is URL Defense. This works by rewriting URLs (i.e. web addresses and links) in emails as they pass through our Proofpoint gateway on their way to your inbox. By rewriting URLs, Proofpoint is able to send all “clicks” of a URL to an isolated sandbox and scan the destination website to ensure it’s safe before you visit.

How it URL Defense Works

Email-based attacks, especially phishing attacks, are often triggered when you click on malicious links (URLs) provided to you in email.

  • Malicious actors often try to imitateURLs be the URLs of legitimate websites or hide malicious hind shortened URLs to obfuscate the actual website you will visit upon clicking
  • The malicious website may closely resemble a login page that you are accustomed to in an attempt to fool even the most vigilant of users into logging in, thereby exposing their credentials and providing the malicious actor with an avenue into your email or other systems
  • The malicious website may have been developed with the intent to exploit browser or OS vulnerabilities and infect the your device with ransomware, cryptojacks, or other malware
  • Once infected, malware often scans local networks, hunting for other devices vulnerable to infection - sometimes lying dormant on host devices for hours, days, or weeks to prevent detection - before initializing and executing its attack

This process should be unnoticeable and take no longer than a few moments, when clicking a link sent via email:

  1. URL Defense works by rewriting URLs before they reach your inbox
  2. When a rewritten URL is clicked, URL Defense will open the destination website in a remote sandbox in order to safely scan the website before your visit
  3. If a website is determined to be safe, URL Defense will seamlessly forward you along to the destination website
  4. If the website is determined to be malicious, URL Defense will not send you to the website and will instead display a message to inform you that the site has been blocked and why

Back to Top

What do Rewritten URLs Look Like?

In the email body text, a rewritten URL will appear no different from when it was sent. However, when hovering over or inspecting URLs, you will notice that rewritten URLs begin with 

  • https://urldefense.com/;
  • or https://urldefense.proofpointcom/… 

This is normal and is an indication that URL Defense will be used to scan the website before your visit. Currently, URL Defense is not applied to:

  • URLs sent internally (from @hawaii.edu to @hawaii.edu)
  • URLs that link to known-safe domains or websites
  • URLs that link to services provided by Proofpoint (proofpoint.com, pphosted.com, urldefense.com, urldefense.proofpoint.com)

Back to Top

Print Article