LinkScan: on-demand URL protection

Updated 2 weeks ago by admin

The reputation of URLs contained in an email is checked at the time of processing using the URL Scanner Rule condition. With LinkScan, further checks are conducted the moment the end-user clicks the link, including deep redirect scanning and document detection. This adds a greater degree of security, as often it can take a while for threat intelligence feeds to report that an email is a spam or has a malicious URL inside it.

Conducting further checks when the user attempts to access the URL can detect a changed URL reputation (which may not have been known at the time of delivering the email). With LinkScan, all URL links are automatically rewritten in the email, and changed to an encoded LinkScan address. The encoded address performs additional checks against multiple threat intelligence feeds dynamically, at the time of access.

There are six modes of operation available for LinkScan, each of which provides flexibility in how users interract with Linkscan-rewritten URLs.

Senders in the Global Safe List will be automatically excluded from LinkScan URL rewriting.

LinkScan rewrites URLs so that they will always pass through the linkscan.io domain before being silently redirected. A LinkScan URL has the format:

https://v2.linkscan.io/scan/ux/<string>

When a user clicks a LinkScan-rewritten URL, the LinkScan service begins checking the underlying URL against multiple threat intelligence feeds. The following example shows a clean URL with the Click to Continue operating mode enabled:

The following example shows a URL that has a threat with the Auto Redirect unless Threat Detected operating mode enabled:

Converting a rewritten URL back to its original URL

You can use the online tool at https://v2.linkscan.io/reveal to reveal the original URL from a LinkScan-rewritten URL.

Your EMS account may already have a LinkScan default Rule, in which case you can skip this step.

If you do not already have a LinkScan Rule, you can create it using these steps.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityMessage Rules.
  2. Click to create a new Rule.
  3. Give your new Rule a sensible name, like LinkScan.
  4. Add a Direction Condition, with the direction set to Match Inbound.
  5. Add a Sender In List Condition, with the logic set to "Does Not Match: Safe".
With this Condition, senders in the Safe List will bypass LinkScan URL rewriting. Omit this Condition if that's not what you want.
  1. Add a LinkScan Action. Set the Value to Auto Redirect unless Threat Detected.
  2. Do not add a Final Action.
Remember to check that your new Rule is active, by enabling the Active checkbox.
  1. Click .

LinkScan can operate in a number of different operating modes. The specific mode is chosen in the LinkScan Message Rule.

We strongly recommend that Legacy options are not used. If you are currently using one of the Legacy options, we recommend switch to one of the following options:
Auto Redirect, Block on threat, Hide URL

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, the reason will be displayed with no option to continue and the destination URL will be hidden.

Auto Redirect, Block on threat, Show target URL

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, there is no option to continue to the target URL. The target URL is visible on the linkscan.io page.

Auto Redirect, Block on threat, Hide target URL with Doc Scan

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, the reason will be displayed with no option to continue and the destination URL will be hidden. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat.

Auto Redirect, Block on threat, Hide target URL, Skip Unknown URL

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, the reason will be displayed with no option to continue and the destination URL will be hidden. If the target URL has no known reputation, it will be allowed.

Creating exclusions

You can exclude specific sender addresses, specific URLs, or parts of URLs, from LinkScan's engine.

You can exclude a sender or a URL, but not both at once.
Excluding specific sender addresses

Add the sender address to the Safe List. LinkScan will not rewrite URLs in any emails from this sender.

Excluding URLs

Create an exclusion for the URL by create a new set of Custom Rule Data.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityCustom Rule Data.
  2. Click to create new RegEx Custom Rule Data.
  3. Give your new data a sensible name.
  4. In the Value field, add the URL you want to exclude from LinkScan processing.
You'll need to add the URL in a regex format. For example, apple.com would become \b(apple\.com)\b. Make sure that you escape any period characters (.) in the URL with a slash (\).
If you want to add other URLs to this Custom Rule Data, the best way to do so is to append the new URL to the existing data, separated by the | character. For example, a RegEx to bypass apple.com and www.microsoft.com would be \b(apple\.com)\b|\b(www\.microsoft\.com)\b.
You can test your new RegEx at https://regex101.com/ to be sure it performs the way you expect.
  1. Click to save this new Custom Rule Data.
  2. Navigate to ProductsE-mail SecurityMessage Rules. Double-click the LinkScan Rule to open it for editing.
  3. Add a new Body Condition. Set the Logic to Does Not Match and the Value to the new Custom Rule Data you created.


How did we do?