Targeted Threat Protection - URL Protect - Verifying a URL

Updated

This guide describes how administrators can verify a URL  that has been rewritten by Targeted Threat Protection - URL Protect. This is important, as the original URL  can tell you a lot about where you are about to go.

Overview

  • You are also able to report these URLs via the Report tab within the URL Logs to send to our Security Team for reclassification if you deem them safe
  • Suspicious redirects: Multiple redirects or redirects to unfamiliar domains may indicate malware or phishing attempts.
  • Unfamiliar or suspicious URLs can be checked by using a service like Virus Total, e.g., if the original domain differs significantly from the destination domain, or links differ significantly from the official website of the purported sender. This will inform if the URL is flagged as malicious.
  • You can also check URLs via Check & Decode URLs in the Mimecast Administration Console.
  • Alternatively, URLs that haven't been rewritten by URL Protect can be verified by other methods, such as using a search engine (Google, etc.) to check if the link is associated with known phishing or malware attacks or by using a service like Virus Total.

Verifying a URL

You can verify a URL by using the following steps:

  1. Right-click the URL.
  2. Click Copy Hyperlink.

  3. Paste the URL into your browser, but add a + to the end. For example, if the following protected link is issued:

    https://url.uk.m.mimecastprotect.com/s/F6rYCAW0hl6wn3CQg3QZ

    Add a plus sign at the end:

    https://url.uk.m.mimecastprotect.com/s/F6rYCAW0hl6wn3CQg3QZ+
  4. Press Enter.
  5. Review the Original URL to ensure it is safe to go there. This URL isn't clickable to prevent access to the URL  before our security checks have been performed. Do not to copy and paste the exposed link for the same reason.

Targeted Threat Protection Verifying a URL

If you have the Display URL Destination Domain option selected in your URL Protect definition, the destination domain of the URL will be visible at the end of the rewritten link. For example, https://protect-eu.mimecast.com/s/F6rYCAW0hl6wn3CQg3QZ?domain=exampledomain.com.

When verifying URLs, ensure you enter the exact URL as it appears, including or excluding 'www' if necessary, use the most precise form of the URL.

Common URL Protection Questions

How can I tell if URL Protection is active?
URL Protection is active when links in emails are rewritten to a specific protection domain (e.g., url.us.m.mimecastprotect.com). If links are not being rewritten, URL Protection may not be active in your email system.

What should I do if legitimate URLs are being blocked?
If legitimate URLs are being blocked, verify the URLs through your browser isolation tool, then add these URLs to your Managed URLs list in the Mimecast URL Protection settings to prevent false positives.

Why am I seeing security warnings for legitimate links?
URL Rewriting can sometimes trigger browser security warnings because links are redirected through an intermediary service. To verify safety, check that the final destination URL matches the expected website.

See Also...

Related to

Was this article helpful?
1 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.