Prevention at First Sight: Email Security Beyond URL Rewriting

In the age of evasive quishing and GenAI powered cyber attacks, email security remains a critical battleground for organizations. One prevalent method employed in this fight is URL rewriting, also known as “time of click protection”. This technique, which is widely used by legacy email security solutions like Secure Email Gateways (SEGs) and even by some newer next-gen solutions like Avanan, focuses on modifying all links within email messages to enhance security.

URL rewriting involves altering every URL in an email in order to redirect through a security server or checkpoint before reaching its intended destination. It has two main purposes: analyzing the link against known threat databases, and verifying its safety before allowing end users to access it. This approach, while effective against certain types of malicious links, often gives organizations a false sense of security. The reliance on static detection means that only known threats are intercepted, leaving a gap for novel or evasive attacks to slip through.

While this method has been foundational in email security, it is increasingly challenged by the dynamic nature of today’s threats. Attackers are constantly devising new strategies to bypass traditional defenses, making it imperative for email security solutions to evolve. This is where advanced techniques like dynamic URL analysis come into play, representing a significant shift from the reactive nature of URL rewriting to a more proactive, real-time approach in threat detection and prevention.

In this blog, we delve deeper into the limitations of URL rewriting and explore how dynamic URL analysis offers a more robust and effective solution to counter modern, email-based attacks.

How does URL link rewriting work?

To understand the innate limitations of URL rewriting, it’s important to first discuss how it actually functions across various email security solutions, like Proofpoint’s URL Defense or Mimecast’s URL Protection.

Universal function in email security:

URL rewriting involves altering the links within inbound emails, and redirecting them through the security system’s network for scrutiny. For end users, interacting with a rewritten URL can be confusing. When hovering over a link in an email, instead of seeing the original URL, they see a modified and unfamiliar link, often lengthy and complex, pointing to the security vendor’s domain. 

Analysis upon end user click: 

The critical analysis of rewritten URLs occurs when a user clicks on the links. This involves:

1. Threat database comparison: Links are also checked against a database of known malicious URLs.
2. Rules and policies: Links are assessed against predefined security criteria, which vary based on the solution and administrative settings.
3. Configurability and decision making: Solutions provide adjustable scanning intensities. Based on these settings, when a user clicks a rewritten URL, they are either warned and blocked if the link is malicious or allowed access if it’s deemed safe.

The limitations of URL rewriting 

After establishing how URL rewriting functions in email security, we can examine its drawbacks. 

Redirecting all email users to a trusted server buys the security vendor some time to assess whether the URL is malicious or clean but it also comes with major limitations. These limitations not only impact the effectiveness of this method but also highlight the necessity for email security solutions that can analyze and stop attacks at first glance, without the need to rewrite every URL.

1. Dependency on Known Threat Databases

URL rewriting primarily relies on databases of known phishing and malware attacks for threat detection. This poses a significant limitation: it fails to detect new, zero-day attacks and often results in high rates of false positives. As cyber attackers continually devise new tactics, URL rewriting struggles to keep up the pace, allowing emerging threats to bypass detection.

2. Ineffectiveness Against Sophisticated Evasion Techniques

Advanced attacks, in which malicious URLs are cleverly disguised behind legitimate ones or dynamically generated, often evade detection by URL rewriting systems (these systems may skip scanning URLs from “Allow Lists”). Sophisticated threats like two-step phishing require more advanced detection capabilities than what URL rewriting can offer.

3. Delayed Response Time to Threats

The mechanism of URL rewriting is inherently reactive. It only analyzes a URL when a user interacts with it. In case of an unknown malicious URL, this delay means that the initial line of defense is bypassed, users are compromised, and incidents must be remediated and reported (so it can be blocked in the future). It is sometimes simply too late to place the burden of threat detection at the point of user interaction.

4. User Experience and Hindered Security Awareness

From the end user’s perspective, URL rewriting can cause confusion. Encountering unfamiliar, modified URLs may lead to uncertainty and mistrust, particularly when legitimate and trusted links are changed. This confusion can undermine users’ confidence in the security system and  also impacts their education. When every URL is altered to look uniform, it becomes challenging for employees to learn and differentiate between what’s safe, risky, or outright dangerous.

5. False Sense of Security

Organizations using URL rewriting may develop a false sense of security. The belief that all URLs are effectively monitored and sanitized can lead to complacency, overlooking the fact that not all malicious URLs are known or can be detected through this method.

6. Increased Latency and Performance Issues

Redirecting URLs through out-of-band security servers can cause latency. This additional processing time, while seemingly minor, can accumulate, leading to slower email delivery and a downgraded user experience. Furthermore, when the security vendor’s URL servers are oversaturated or down, incoming URLs cannot be rewritten/will not work. This may result in business downtime. 

By understanding these limitations, it becomes evident why URL rewriting, while useful in certain contexts, is increasingly insufficient in the face of modern, advanced threats. The next sections will explore how dynamic URL analysis addresses these shortcomings, offering a more proactive and comprehensive approach to email security.

Dynamic URL Scanning: Taking Action In Real Time 

While SEGs and other email security solutions rewrite every URL in order to let the emails flow and make tough decisions later on, Perception Point blocks malicious URLs at “first sight,” preventing them from ever reaching the end users’ inboxes. In stark contrast to the delayed, reactive nature of traditional URL rewriting methods, Perception Point’s approach of scanning URLs dynamically represents a significant paradigm shift and advancement in email threat prevention. 

Using the proprietary Recursive Unpacker engine, Perception Point’s Advanced Email Security extracts and clicks URLs sent in the body of emails or inside attachments to analyze their content and behavior in real time using multiple AI and machine learning detection models. These include: 

• Two-Step Phishing: An object detection model examines webpages to recognize clickable elements for further scanning (evasion: end users are first presented with a trusted page; clicking an element within it redirects them to the malicious payload). 

• Login Forms Detection: Computer vision models detect input boxes and login forms; crosscheck them with the URL and identify anomalies and prevent credential theft.

• Brand Recognition: Comparing email/URL/file screenshots/images/URL favicons to logos and visual assets of known brands to detect spoofing and phishing. The data is analyzed against known ‘clean’ images (e.g. official Microsoft logos) and known ‘malicious’ ones (impersonation attempts caught by Perception Point).

• Domain Lookalike and URL Lexical Analysis: S-GLocal algorithm incorporates heuristic biological algorithms and modifies them to identify domain lookalikes and impersonation attempts. The ML model analyzes the URL structure to find similarities to malicious URLS and to predict whether or not the link is malicious.

• HAP™: The “Sandbox Killer”, Perception Point’s patented technology provides near real-time prevention of never seen before attacks like Zero Days and N-days using CPU level dynamic scanning.

• GenAI Decoder™: LLM-based model utilizes transformers to recognize the patterns in AI-generated text and detects malicious social engineering attempts in the email text.

Comparative Analysis: URL Rewriting vs. Dynamic URL Scanning

Dynamic URL scanning involves real-time analysis of the content and behavior of URLs and web pages, offering several key benefits over URL rewriting:

• Ability to detect new and sophisticated threats through behavior analysis.
• Reduced false positives and negatives by examining actual content.
• No significant latency, as the analysis is rapid and efficient.

To put these benefits into perspective, let’s examine a side-by-side comparison of the two methods. This table showcases how real-time analysis, accuracy in threat detection, and efficiency make it the much better choice.

Feature	URL Rewriting	Dynamic URL Analysis
Detection Method	Static, based on known threat databases	Real-time, behavior-based analysis (allowing for in-line scanning and prevention)
Threat Identification	Primarily known threats	New and sophisticated threats, including zero-day attacks
Accuracy	Higher likelihood of false positives and false negatives due to reliance on static databases	High accuracy, resulting from  detailed content analysis
Latency	Can introduce delays due to redirection and analysis	Minimal, with rapid and efficient processing
User Experience	Often leads to confusion due to altered URL appearance	Maintains original URL, preserving user familiarity
Adaptability	Limited, depends on database updates	Highly adaptable, continuously learning and evolving
Educational Value	Low, hinders users’ ability to recognize threats	High, aids in user education by preserving URL integrity

This table illustrates why dynamic URL scanning is increasingly favored in the realm of email security. Its capabilities in handling modern cyber threats, combined with its efficiency and user-friendly approach, make it the obvious choice to defend an organization’s email and modern workspace. 

To learn more about Perception Point Advanced Email Security, contact us today!