LinkScan: on-demand URL protection

Updated 1 day ago by admin

The reputation of URLs contained in an email is checked at the time of processing using the URL Scanner Rule condition. With LinkScan, further checks are conducted the moment the end-user clicks the link. This adds a greater degree of security, as often it can take a while for threat intelligence feeds to report that an email is a spam or has a malicious URL inside it.

Conducting further checks when the user attempts to access the URL can detect a changed URL reputation (which may not have been known at the time of delivering the email). With LinkScan, all URL links are automatically rewritten in the email, and changed to an encoded LinkScan address. The encoded address performs additional checks against multiple threat intelligence feeds dynamically, at the time of access.

There are six modes of operation available for LinkScan, each of which provides flexibility in how users interract with Linkscan-rewritten URLs.

Senders in the Global Safe List will be automatically excluded from LinkScan URL rewriting.

LinkScan rewrites URLs so that they will always pass through the linkscan.io domain before being silently redirected. A LinkScan URL has the format:

http://linkscan.io/scan/ux/<string>

When a user clicks a LinkScan-rewritten URL, the LinkScan service begins checking the underlying URL against multiple threat intelligence feeds. The following example shows a clean URL with the Click to Continue operating mode enabled:

The following example shows a URL that has a threat with the Auto Redirect unless Threat Detected operating mode enabled:

Converting a rewritten URL back to its original URL

You can use the online tool at http://linkscan.io/reveal to reveal the original URL from a LinkScan-rewritten URL.

Your EMS account may already have a LinkScan default Rule, in which case you can skip this step.

If you do not already have a LinkScan Rule, you can create it using these steps.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityMessage Rules.
  2. Click to create a new Rule.
  3. Give your new Rule a sensible name, like LinkScan.
  4. Add a Direction Condition, with the direction set to Match Inbound.
  5. Add a Sender In List Condition, with the logic set to "Does Not Match: Safe".
With this Condition, senders in the Safe List will bypass LinkScan URL rewriting. Omit this Condition if that's not what you want.
  1. Add a LinkScan Action. Set the Value to Auto Redirect unless Threat Detected.
  2. Do not add a Final Action.
Remember to check that your new Rule is active, by enabling the Active checkbox.
  1. Click .

LinkScan can operate in any of six different operating modes. The specific mode is chosen in the LinkScan Message Rule.

Click to Continue

The user must always click to continue to the target URL. The target URL is visible to the user on the linkscan.io page.

Auto Redirect unless Threat Detected

The user is automatically redirected to the target URL, unless a threat is detected. If a threat is detected, the user is given the option to click to continue to the target URL anyway. The target URL is visible on the linkscan.io page.

Click to Continue, Block on threat, Show target URL

The user must always click to continue to the target URL (even if no threat is detected). If a threat is detected, there is no option to continue to the target URL. The target URL is visible on the linkscan.io page.

Auto Redirect, Block on threat, Show target URL

The user is automatically redirected to the target URL, unless a threat is detected. If a threat is detected, there is no option to continue to the target URL. The target URL is visible on the linkscan.io page.

Click to Continue, Block on threat, Hide target URL

The user must always click to continue to the target URL (even if no threat is detected). If a threat is detected, there is no option to continue to the target URL. The target URL is not visible on the linkscan.io page.

Auto Redirect, Block on threat, Hide target URL

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, there is no option to continue to the target URL. The target URL is not visible on the linkscan.io page.

Creating exclusions

You can exclude specific sender addresses, specific URLs, or parts of URLs, from LinkScan's engine.

Excluding specific sender addresses

Add the sender address to the Safe List. LinkScan will not rewrite URLs in any emails from this sender.

Excluding URLs

Create an exclusion for the URL by create a new set of Custom Rule Data.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityCustom Rule Data.
  2. Click to create new RegEx Custom Rule Data.
  3. Give your new data a sensible name.
  4. In the Value field, add the URL you want to exclude from LinkScan processing.
You'll need to add the URL in a regex format. For example, apple.com would become \b(apple\.com)\b. Make sure that you escape any period characters (.) in the URL with a slash (\).
If you want to add other URLs to this Custom Rule Data, the best way to do so is to append the new URL to the existing data, separated by the | character. For example, a RegEx to bypass apple.com and www.microsoft.com would be \b(apple\.com)\b|\b(www\.microsoft\.com)\b.
You can test your new RegEx at https://regex101.com/ to be sure it performs the way you expect.
  1. Click to save this new Custom Rule Data.
  2. Navigate to ProductsE-mail SecurityMessage Rules. Double-click the LinkScan Rule to open it for editing.
  3. Add a new Body Condition. Set the Logic to Does Not Match and the Value to the new Custom Rule Data you created.


How did we do?