URL Defense is a feature that modifies the links received in email from external senders to protect UW-Madison from malicious websites. The modification made to the email is commonly referred to as URL or link re-writing. What follows are some of the questions that have been raised by campus or that we anticipate as we roll out this new feature.
What does a re-written URL look like?
URLs that have been re-written by URL Defense on our secure email gateway always start with “https://urldefense.com/v3/__”
In an HTML email or document you will not see the rewritten URL unless you hover over the link in the message. Most clients will display the underlying link at the bottom left of the viewing pane.
An example of a re-written link to YouTube is shown below:
https://urldefense.com/v3/__https://www.youtube.com/__;!!Mak6IKo!OLXijV0zx-sJrLqo1ZW7lMnqVB6TjojOEun9W9UP8pyjYjZ_YwBCZjE-5nw3FQfeqzUwNNf0Yh5EmohAwRk7IOQ$
In plain text messages the re-written links will be clearly visible in the body of the message.
What causes a URL to be re-written?
For a URL to be re-written the link and email message must meet the following criteria:
- The email message was received from an email sender outside of our UW-Madison M365 environment.
- The email message was not cryptographically signed (PGP or S/MIME).
- The URL was to a 3rd party website and not a UW-Madison hosted site.
Messages sent internally between UW-Madison M365 accounts are not evaluated by URL Defense.
How do I see the re-written URL?
If you hover over a link in an email message without clicking on it, the destination address should appear in the lower left corner of the client or browser window. You can use this technique to check the destination of the underlying link and see if the link has been re-written by URL Defense.
What will it look like if a URL is blocked?
If the URL is blocked the link will redirect you to a support page that states that the web site has been blocked. A screenshot of what you will see is shown below:
What if I think a URL is blocked in error?
Keep in mind that even a website that you are familiar with may be compromised and the block may be temporary. If you feel that you are being blocked inappropriately you can open a case with DoIT Help Desk. Please include the following information regarding the email that contained the link:
- Date/Time the message was received
- Sender’s email address
- Subject
- The URL Defense link that is being blocked
We will investigate the message and the link. If we determine that the block is invalid, we will open a case with vendor support to resolve the block.
Will I have a problem receiving one-time links?
Testing suggests that one-time links are typically compatible with URL Defense.
However, if you run into a situation where one-time links are being explored and broken, you can open a case with DoIT Help Desk. Please include the following information regarding the email that contained the link:
- Date/Time the message was received
- Sender’s email address
- Subject
- The URL Defense link that is resulting in an error
I am being redirected to a Proofpoint Error page - what do I do? Browser Troubleshooting
There are a few different issues that can cause you to be redirected to a Proofpoint Error page (different from the Block page).
- Using an unsupported browser can result in errors. Please check that you are using one of the supported browsers. See Email Security: URL Defense - Supported Browsers.
- Even in a supported browser, extensions or plugins can also interfere with URL Defense and result in a redirect to an error page. Please try disabling any extensions or plugins.
- Sometimes a browser or mail client does not correctly click the entire URL. To work around this issue, copy and paste the URL in its entirety into the web browser address bar.
If you are using a supported browser and have tried the workarounds listed above and you are still experiencing an error, you can open a case with DoIT Help Desk. Please include the following information regarding the email that contained the link:
- Date/Time the message was received
- Sender’s email address
- Subject
- The URL Defense rewritten link that is resulting in an error.
What about cryptographically signed messages with PGP, S/MIME or DKIM?
Email messages that are cryptographically signed with PGP or S/MIME will not be subject to URL Defense re-writing.
DKIM signed messages may have their URLs re-written by URL Defense. Changing the URL in a DKIM signed message will break the signature. This could impact deliverability of messages that are automatically forwarded to external destinations.
What if I forward a message I received with a re-written URL?
If you forward an email that contains a re-written link, the recipient will also see the URL Defense modified link. If the website is determined to be malicious it will be blocked for you and any colleagues who receive the forwarded message.
Automatic forwarding and inbox-rule redirects will also contain URL Defense modified links.
Please be aware that forwarding can result in delivery failures and is not recommended by the Microsoft 365 team. See Microsoft 365 - Set/Manage a Forward on a NetID or Service Account
I received a Google groups message and the URLs in the message were re-written, why?
Email sent from Google Groups are received by our Secure Email Gateway and are subject to URL Defense analysis and modification.
I received an email from an external sender but the URLs were not re-written, why?
There are a few reasons why a URL in an email from an external sender might pass through URL Defense without being re-written.
- Websites that use a subdomain of wisc.edu or any other domain hosted by UW-Madison Office 365 are not subject to URL Defense.
- Links to certain UW-Madison enterprise services also bypass URL Defense (e.g. uwmadison.box.com, uwmadison.zoom.us, etc)
- UW System Phish Training messages are not subject to URL rewrite or spam scanning in general.
- Depending on how the message was received, if any UW-Madison recipient on a message has been exempted from URL Defense, the URLs in the message may not be re-written for all recipients. This includes blind copied (bcc) recipients.
I received an email from a UW-Madison sender and the links were re-written, why?
Messages that appear to be from other UW-Madison Office 365 senders can originate from either servers hosted on-campus or 3rd party services that are approved to send on behalf of UW-Madison subdomains (e.g. doit.wisc.edu). Messages received from those senders are scanned by our Secure Email Gateway and are subject to URL Defense modifications.
Additionally, not all wisc.edu domains are hosted in UW-Madison Office 365. Many groups like Athletics (athletics.wisc.edu) and Icecube Neutrino Observatory (icecube.wisc.edu) maintain their own email servers. Messages from those email addresses are scanned by our Secure Email Gateway before they are delivered to UW-Madison Office 365 recipients.
I received a phishing message from a compromised UW-Madison account, the URL in the message was not re-written
Unfortunately we continue to face issues with compromised UW-Madison Office 365 accounts. Messages sent from internal compromised accounts are not scanned by our Secure Email Gateway and are not protected by URL Defense.
How do I see the original URL/Link
URL Defense is intended to provide another layer of protection against potentially malicious URLs. However, we recognize that some workflows require access to the original link or URL. Campus has access to a URL Defense Decoder that can be used to extract the original link from the URL Defense wrapped link.
How do I disable URL Defense?
URL Defense is enabled at the Secure Email Gateway for all UW-Madison Office 365 accounts. There is no option for you to disable URL Defense for your account. If you are experiencing a technical issue with URL Defense you may open a case with DoIT Help Desk. Please include the following information regarding your issue:
- Description of the issue you are encountering
- Impact on your workflow and any workarounds you have tried
- Example message that includes the problematic link or links
- If there are multiple links in the messages specify which URL Defense rewritten link is causing the issue
