LinkScan: on-demand URL protection

The reputation of URLs contained in an email is checked at the time of processing using the URL Scanner Rule condition. With LinkScan, further checks are conducted the moment the end-user clicks the link, including deep redirect scanning and document detection. This adds a greater degree of security, as often it can take a while for threat intelligence feeds to report that an email is a spam or has a malicious URL inside it.

Conducting further checks when the user attempts to access the URL can detect a changed URL reputation (which may not have been known at the time of delivering the email). With LinkScan, all URL links are automatically rewritten in the email, and changed to an encoded LinkScan address. The encoded address performs additional checks against multiple threat intelligence feeds dynamically, at the time of access.

Services such as Office 365 provide their own on-demand URL scanning service. Having multiple services may reduce the user experience and potentially conflict with each other.

There are six modes of operation available for LinkScan, each of which provides flexibility in how users interract with Linkscan-rewritten URLs.

Senders in the Global Safe List will be automatically excluded from LinkScan URL rewriting.

LinkScan rewrites URLs so that they will always pass through the linkscan.io domain before being silently redirected. A LinkScan URL has the format:

https://linkscan.io/scan/ux/<string>
Some email clients such as Outlook have a maximum URL length (1024 characters) which can be exceeded due to the extra characters needed for rewriting.

When a user clicks a LinkScan-rewritten URL, the LinkScan service begins checking the underlying URL against multiple threat intelligence feeds. The following example shows a clean URL with the Click to Continue operating mode enabled:

The following example shows a URL that has a threat with the Auto Redirect unless Threat Detected operating mode enabled:

Converting a rewritten URL back to its original URL

You can use the online tool at https://linkscan.io/reveal to reveal the original URL from a LinkScan-rewritten URL.

Your EMS account may already have a LinkScan default Rule, in which case you can skip this step.

If you do not already have a LinkScan Rule, you can create it using these steps.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityMessage Rules.
  2. Click to create a new Rule.
  3. Give your new Rule a sensible name, like LinkScan.
  4. Add a Direction Condition, with the direction set to Match Inbound.
  5. Add a Sender In List Condition, with the logic set to "Does Not Match: Safe".
With this Condition, senders in the Safe List will bypass LinkScan URL rewriting. Omit this Condition if that's not what you want.
  1. Add a LinkScan Action. Set the Value to Auto Redirect unless Threat Detected.
  2. Do not add a Final Action.
Remember to check that your new Rule is active, by enabling the Active checkbox.
  1. Click .

LinkScan can operate in a number of different operating modes. The specific mode is chosen in the LinkScan Message Rule.

For a list of hostnames and ports that LinkScan uses please visit the Service IP addresses and ports page.
Auto Redirect, Block on threat, Show target URL with Doc Scan

The user is automatically redirected to the target URL unless a threat is detected. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat. If a threat is detected, there is no option to continue to the target URL. The target URL is visible on the linkscan.io scan page.

Auto Redirect, Block on threat, Hide target URL with Doc Scan

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, the reason will be displayed with no option to continue and the destination URL will be hidden. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat.

Auto Redirect, Continue on threat, Hide target URL with Doc Scan

The user is automatically redirected to the target URL unless a threat is detected. If a threat is detected, the reason will be displayed with a continue button available and the destination URL will be hidden. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat.

Click to Continue, Block on threat, Show target URL with Doc Scan

Requires a click to continue if the URL is checked and passes all checks. If a threat is detected, there is no option to the target URL. The target URL is visible on the linkscan.io scan page. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat.

Click to Continue, Block on threat, Hide target URL and Doc Scan

Requires a click to continue if the URL is checked and passes all checks. If a threat is detected, there is no option to the target URL. The target URL is not visible on the linkscan.io scan page. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat.

Click to Continue, Continue on threat, Show target URL, Doc Scan

Requires a click to continue if the URL is checked and passes all checks. If a threat is detected, a button is shown to allow to continue to target URL. The target URL is visible on the linkscan.io scan page. If the target is an embedded document (e.g. Onedrive, PDF, Dropbox) then the document will also be scanned for URLs that may be a threat.

Creating exclusions

You can exclude specific sender addresses, specific URLs, or parts of URLs, from LinkScan's engine.

You can exclude a sender or a URL, but not both at once.
Excluding specific sender addresses

Add the sender address to the Safe List. LinkScan will not rewrite URLs in any emails from this sender.

Excluding URLs

Create an exclusion for the URL by create a new set of Custom Rule Data.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityCustom Rule Data.
  2. Click to create new RegEx Custom Rule Data.
  3. Give your new data a sensible name.
  4. In the Value field, add the URL you want to exclude from LinkScan processing.
You'll need to add the URL in a regex format. For example, apple.com would become \b(apple\.com)\b. Make sure that you escape any period characters (.) in the URL with a slash (\).
Using the \b boundary will make the URL case sensitive with detection. To remove any case sensitivity you need to precede the regex with (?i). An example entry would be:

(?i)\b(apple\.com)\b|\b(www\.microsoft\.com)\b

This will match on Apple.com and apple.com as well as www.Microsoft.com
If you want to add other URLs to this Custom Rule Data, the best way to do so is to append the new URL to the existing data, separated by the | character. For example, a RegEx to bypass apple.com and www.microsoft.com would be \b(apple\.com)\b|\b(www\.microsoft\.com)\b.
You can test your new RegEx at https://regex101.com/ to be sure it performs the way you expect.
  1. Click to save this new Custom Rule Data.
  2. Navigate to ProductsE-mail SecurityMessage Rules. Double-click the LinkScan Rule to open it for editing.
  3. Add a new Body Condition. Set the Logic to Does Not Match and the Value to the new Custom Rule Data you created.


How did we do?