Email Security

Rethinking URL Rewriting in Email Security

E.J Whaley

September 24, 2020

4 min

URL rewriting is ubiquitous in email security. The underlying functionality might be different from vendor to vendor, but the idea is the same: When users interact with URLs inside their inbox, URL rewriting affords the ability to check whether or not the destinations of the URLs are safe. But as email security has shifted away from being reliant upon Secure Email Gateways (SEGs, or simply gateways) to an API-based approach, has rewriting URLs become obsolete?

URL rewriting gained traction due to a shift in tactics by attackers. URLs have long been associated with email-based attacks, from malware to credential theft attacks. As organizations began focusing more on security, they turned to their email security vendors for assistance in thwarting these types of attacks.

Checking URLs through anti-virus scanning, registered block lists, and other static threat intelligence repositories became the norm to help defend against these attacks. But there was a problem: the threat intelligence was static. This meant attackers could rotate the URLs used in their attacks or continuously utilize new ones knowing that only their previously used URLs were likely to be detected.

The rise of URL rewriting

For some time, the security community had to reckon with how to get out in front of this problem. This is largely where URL rewriting came into play. The idea behind URL rewriting is to change the destination of the URL in order to check the URL again. Instead of a user being brought directly to the destination of the URL, the URL is altered to redirect the user to a proxy.

While the user’s browser is on the proxy page, a service checks to see if the destination URL is now on static threat intelligence lists. This means that while the service is still reliant upon static threat intelligence, there is the added benefit of being able to check the destination twice: once upon initial delivery and again at the time of click.

Over time, a number of new advancements allowed URL rewriting to become an even more useful tool. For instance, rather than the service simply checking to see if there is an updated match in the available threat intelligence, services can now check the destination in real time, extract the intended destination from shorteners, perform page exploration to identify spoofed websites and login pages, follow redirects, and a perform a number of other dynamic checks.

This has helped immensely in thwarting attackers both in terms of their rotation and constant use of new destinations, as well as a more recent tactic of exploiting URL shorteners and URL redirects. Lastly, if all else fails with the various checks and a user still ended up interacting with malicious content, most URL rewriting services provide insight into whether or not users interacted with specific URLs.

Common issues and limitations

While URL rewriting has inarguably come a long way, the approach is not without its flaws. Despite recent advancements in machine vision, most URL rewriting services are still fairly beholden to static threat intelligence. If a user interacts with a malicious URL immediately after delivery, there is a chance that the URL has not yet been added to a threat intelligence list.

Some URL rewriting services also have a propensity to break links, whether immediately or over the course of time. This can create headaches for users trying to access content as well as for the help desk teams who are fielding the complaints about the non-functioning URLs.

Worth mentioning here is the rise in utilization of another technology: training and awareness platforms that simulate phishing emails. Through these tools, users are often trained to hover over the links inside of their emails to check to see if they recognize the destination. URL rewriting requires an obscure URL to be swapped in for the original. Thus the hover technique can become overly complicated for users.

There’s a better way

URL rewriting has its merits. Vade Secure’s own Time-of-Click (ToC) service remains available to customers. Featuring real-time, machine-learning based behavioral analysis, ToC analyzes up to 47 features of URLs and webpages, with high accuracy and no latency to end users. However, with our emphasis on predictive defense and ongoing investments in AI technology, our focus is on ensuring that users never interact with a malicious URL, even in the event that it is delivered.

Vade Secure’s email content filter protects one billion mailboxes and scans more than 12 billion emails per day. This data provides up-to-the-minute, real-time analysis of email meta-data, including analysis of the URLs’ webpages, generating global threat intelligence used to train our AI models and fine-tune them as new threats or phishing techniques emerge.

This combined AI technology and threat intelligence powers Auto-Remediate, an integrated feature of Vade Secure for Microsoft 365 that provides both preemptive and post-delivery capabilities. A component of the content filter, Auto-Remediate continuously scans emails and the webpages behind the links embedded in emails, including after delivery.

If an email threat is missed on the initial scan, Auto-Remediate will remove the email from the inbox and move it to a folder designated by the admin upon setup of the product. The admin can remediate the email in a number of ways, including deleting the email or returning it to an inbox if deemed safe.

The accuracy of the filter, combined with the post-delivery capabilities of Auto-Remediate, is a next-generation, proactive approach to email security, an evolution of ToC that provides better accuracy and more efficiency. Additionally, because Auto-Remediate doesn’t rewrite URLs, users can see the URL destination by hovering over the link, a critical step in identifying suspicious links. This empowers the user to put their phishing awareness training to use, which protects both the user and the business.

In addition, Auto-Remediate provides better protection by eliminating the threat from the user’s inbox instantly, eliminating the need for users to interact with malicious emails and malicious URLs.

Vade Secure partners are encouraged to enable Auto-Remediate, which can be activated per threat category, including phishing, malware, and spam. Although we highly recommend activating Auto-Remediate over ToC, partners who wish to use ToC can activate the feature in their Vade Secure for Microsoft 365 admin console.