Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.
Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.
The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.
For example, APT 39 successfully leveraged malicious URL links that were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.
How URL link rewriting protection works
SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.
URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.
When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.
If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.
Five shortcomings of URL link rewriting protection
1. URL link rewriting is an overly manual security control prone to human error
URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.
2. URL link rewriting is ineffective at protecting against zero day attacks
URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.
3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge
Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.
4. Protection starts and stops at the gateway
URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.
5. If all you have is a hammer, everything looks like a nail
URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for intelligent email security
Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.
With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.
Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.