Skip to main content
My preferencesSign out
Proofpoint, Inc.

Troubleshooting issues with URL Defense

Situation URL Defense will defend against malicious and potentially harmful URL’s contained within emails.
  • URL Defense is not re-writing emails with DKIM signature.
  • DKIM signature is broken by URL re-writing.
  • You noticed that URL Defense is not re-writing links for some emails.
  • What are all the additional characters in a defended URL.
Solution URL defense feature has some exception that can be configured according to customer needs. Make sure after you enable Attachment Defense which exceptions you want to add into customers.
  1. URL Defense and DKIM signature.
  2. URL Defense Exceptions.
  3. Reading a defended URL.
  4. URL Defense Decoder

 

URL Defense and DKIM signature

By default URL Defense will re-write URLs that are located in DKIM signed emails. This will provide needed security for URLs, but will break the DKIM signature in these emails.  To use URL Defense for unsigned emails and preserve DKIM signing for signed emails, you will need to disable this setting. 

  1. Login with your admin credentials into Proofpoint Dashboard.
  2. Under Security Settings, click Malicious Content tab.
  3. Under Malicious Content, click URL Defense tab.
  4. Check the box: Re-write URLs that are located in DKIM signed messages.

clipboard_e199a5643c3cf1cb98ae6311dd2e1d25f.png

URL Defense Exceptions / Safe-list

URL Defense can be configured so that it doesn't have to re-write all links in emails. 

Exclude url's within Security awareness emails

  • This adds URLS associated with that product (Security Awareness) and exempts them. 

This only shows for customers that have our Security Awareness product.

Re-write URLs that are not located in an anchor tag

  • This will re-write URL’s that are not included in an anchor tag
  • Example: not included in <a href="proofpoint.com”></a>

Exclude URLs that contain specified domains/IP addresses:

  • URL’s will not be re-written that contain the specified Domains listed/IP addresses
  • Enter your domain list separated by line, comma or semi-colon

Exclude active domains associated with this organization:

  • This will exclude re-writing URL’s for emails from domains associated with the organization's account
  • Check the box to enable this option

Exclude re-writing emails that are sent by specified senders:

  • This will not re-write URL’s that have specified senders email addresses listed
  • Enter specific email addresses list separated by line, comma or semi-colon

Exclude re-writing bare IP addresses in plain text emails:

  • This will not re-write bare IP addresses in plain text emails
  • Check the box to enable this option

Exclude re-writing URLs in plain text emails:

  • This will not re-write URLs contained in plain text emails
  • Check the box to enable this option

Case condition re-writes

For the above, please ensure to note the considerations here:

Text has hyperlink - entire URL is re-written

Text URL matches hyperlink - entire is re-written

Text URL does not match hyperlink -  original hyperlink is missing, text URL is re-written and given as new hyperlink.

 

Solution to last scenario - Need to exempt the sender or base URL

Reading a defended URL

Example

  • Original URL:
    Original URL: http://www.google.com
    
  • Defended URL: 
    Defended URL:  https://urldefense.proofpoint.com/v2/url?u=http-3A__www.google.com&d=DwMBaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=U7dT0lFTeyLPTT18j4jTT-QA0_6S0SNyKKRkIm_J6m0&m=phBCMPbh8b9Q8KZOis22AQ2dvsY8EX3owRM-4hZtz1o&s=tyrC6QslpNIWXiCLUXJEbjm0oo5vBoSwGrVYEhO1xBw&e=
    

All fields except the URL are encrypted.  The information embedded in the URL is as follows:

  • u – the original URL
  • d – a set of debug flags
  • c – a PPS cluster ID
  • r – the recipient of the message
  • m – a message identifier
  • s – a digital signature to prevent tampering
  • e – a blank parameter to signify the end of the rewritten URL

Warning When Malicious URL is clicked

Blocked URL link change

When you visit a URL and see the site below, the URL itself changes. If you are contacting support in regards to a false positive on the URL, we require the original link from the email, not the one currently in your browser address bar.

proofpoint-url-defense-block-page.png

Other issues with URL Defense

Redirect-Services: Admins can find the an URL is being blocked if they are on VPN or hot spot:

Possible reasons:

  • Browser is configured to a higher security. Check security in browser Settings
  • There is an additional wrapping redirect around your email links. Platforms like Outlook can add an additional redirect for security purposes. 
  • Also It is possible that customer's has network security or firewall that can be causing this. Customer should contact their network security team to review an allow urldefense.proofpoint.com if possible

Office 365 Auto-Add Calendar Items

Currently, URL Defense will cause Office 365 to not auto-add calendar items. 

For reference, here is a link containing items that the Office 365 feature will auto-add: https://support.microsoft.com/en-us/office/supported-senders-for-events-from-email-in-outlook-2c447af8-9e6c-481b-85df-e6d95325d6fd?ui=en-us&rs=en-us&ad=us

clipboard_ebb7bca8bf64ff0d082a29a3f390c591c.pngYou can utilize the exemption lists to add specific domains or senders (even IP addresses) of trusted resources that will allow the mail item to not be triggered by URL Defense. This can be found in the left hand menu bar under Malicious Content > URL Defense (for the packages that offer this feature AND the feature is currently turned on). 

You can adjust the links using the top option regarding the contents within the link itself via "Exclude URLs that contain specified domains/IP Addresses" or you can list the senders themselves in the section titled "Exclude re-writing emails that are sent by specified senders" in order to exempt the sending email itself. 

 

Support Escalation

If you would like to contact Support for a URL Defense issue that is not described above, please be prepared to provide the following:

  1. Original copy of the email (not forwarded, as it may properly defend all URLs after forwarding). -- We will need it downloaded as an attachment and most likely zipped, password protected, and uploaded to the ticket.
  2. A screen shot of which specific URL is not defended in the email. -- If the email contains multiple URLs, Support will need to know exactly which URL they are being asked to review.

URL Defense Decoder:

There isn't a Proofpoint URL Defense Decoder available to Essentials customers.  However, searching for "URL Defense Decoder" will pull up decoders that have be posted by our partners.