This article describes what happens when end users click on URL links embedded in inbound mail. The following behaviors are dependent on the settings configured by your administrator in a URL Protection Definition.
For detailed information on how to configure, optimize, integrate, and troubleshoot, see the Email Security Cloud Gateway Knowledge Hub.
Overview
Mimecast's Targeted Threat Protection - URL Protect service rewrites the URL links, including those found in. TXT and . HTML attachments. A layered security check is performed on the destination site when users click on a link from a message. Additionally, following the initial URL link check, Mimecast determines if the link downloads to a file directly and scans for potentially malicious content in the file.
If a rewritten URL is sent outbound through Mimecast (e.g., it is forwarded to an external recipient), the URL reverts to its original unwritten form.
What happens next depends on whether the URL is considered safe or harmful.
- If the link is considered safe, users are redirected to the original destination site without intervention.
- If the link is considered unsafe, the messages a user receives depend on the settings configured by the administrator.
When a user clicks on a link, they will initially be presented with a security check message in their browser. This is used for all URLs that are clicked on before any checks are conducted.
- If the security check is delayed after the user is presented with the initial browser message, an email is sent to their inbox containing further details of the detection. The user is notified of this delay in their browser, so they know to expect the follow-up message.
- Managed URL only validates initial URLs and does not apply any blocks to redirected URLs.
- Managed URLs are used in the category scan, and if any of the redirected URLs match, we will mark them as malicious and take the appropriate policy action; if this is set to warn, we will notify the end user rather than block them.
Scanned URLs in Mail and Attachments
If enabled, Mimecast checks to ensure there are no malicious URLs contained in mail and attachments. One of the following actions takes place:
- If the account has been configured to block all unsafe URLs when they are detected, users are not taken to the URL's destination site. Instead, they receive the notification displayed in their browser.
The threat is displayed, but users have no option but to close the browser window. They can click on the Show More link in the dialog for more information on why the link was considered unsafe.
- If the account has been configured to warn users when an unsafe link is detected, the user is not taken to the original destination. Instead, they receive the following notification in their browser, allowing them to choose whether it's safe to proceed.
The threat is displayed, but users have the option to click on the Accept Risk and Continue button. Safety Tips will also appear at random within these messages to provide additional security information. Users can click on the Previous or Next buttons to view more tips.
Scanned URLs to File Downloads
If the URL File Download check is enabled in the URL Protect Definition, Mimecast scans for potentially malicious content in files that download directly when a user clicks on a link. The following file types are searched for:
| Application | Application | URL | Application |
|---|---|---|---|
|
|
|
|
Users can download the scanned file via the email notification for 12 hours, after which time they will be taken through the checking process again.
Following the security scan, if one of the file types listed above is detected, one of three actions can take place. This depends on the "Action" settings configured in URL Protection.
- If the account has been configured to warn users when a file is detected, the user receives the following notification in their browser. They can choose to click on the Accept Risk and Download button to continue if they feel the download is safe.
- If the account has been configured to block users when a file download is detected, the user receives the following notification in their browser. This page lets the user know that access to the download is blocked, and they should contact their administrator for more information.
- If you are using sandboxing with Attachment Protect, we'll send the attachment to the sandbox before releasing it to the end user. If the file is determined to be harmful, the block message from point 2 displays. If the file is clean, the following page displays. The user can access the file download directly by clicking on the Download button.
For Journal and Outbound mail, the only option is to sandbox any detected files to determine if they are harmful or safe before notifying the user.
Mimecast URL Scanning Activity
It is possible that when monitoring IP addresses associated with clicked links in your environment, you may observe activity that does not originate from Mimecast-owned IP addresses or IP addresses that are listed on this page. As part of the Mimecast threat detection stack, the URL scanning layer can utilize various 3rd party vendors, whose IP ranges are subject to change and are not tracked or disclosed by Mimecast. Furthermore, Mimecast employs anonymization techniques to prevent threat actors from recognizing and evading our scanners. To protect Mimecast customers, the associated IP addresses will not be disclosed.
Comments
Please sign in to leave a comment.