Email, Spam Control, URL defense, re-writing
In an effort to reduce the occurrence of malicious URLs for our Campus email customers, Technical Services has implemented Proofpoint's Targeted Attack Protection (TAP) service. This service verifies the URLs in email are not malicious and then it rewrites the URL to reflect it has been verified by our Spam Control service.
How does it work?
This service automatically scans incoming email for hyperlinks and rewrites them with special URLs. These new URLs allow Proofpoint to check the original URL before actually sending the reader to that web page.
If Proofpoint checks the intended web page and discovers that it is being used for malicious purposes such as phishing scams or delivering malware, the email reader will not be taken to the malicious web page. They will instead see a message saying that the web page was malicious and blocked.
The most noticeable piece of this service is the URL labelling. All rewritten links will have the website's domain added in square brackets after the link to show where the link points to. After clicking on a rewritten link, web pages should load with little or no noticeable delay — unless, of course, the link was to a malicious web page in which case it will be blocked.
This will only affect email passing through the Campus Email Relays from outside the University of Illinois. Email sent from @illinois.edu to @illinois.edu accounts will not have the URLs rewritten.
What do rewritten hyperlinks look like?
The link text in a message will stay the same, with the domain of the URL added in square brackets as a label to alert you where the link points.
When you hover over a link that has been rewritten, you will see that https://urldefense.proofpoint.com/v1/url?u= has been added to the beginning of the link and a string of letters and numbers have been added after the link. To hover place your cursor over a link without clicking it.
Please remember that this does not rewrite URLs for emails sent between @illinois.edu accounts. You will only be able to hover over links and see rewritten URLs if the email was sent from outside the University of Illinois.
What does a blocked web page look like?
If a URL has been determined to malicious, then you will receive similar to the one below when you click on the link.
What should I do if I click on a link and the page is blocked?
Once a page is blocked, there is nothing more that you need to do. This page will also be blocked for all other customers.
In addition, it is not necessary to report to Tech Services or the web site's administrator that the page has been blocked. However, if a page has been blocked and is not malicious, a false-positive, then please send an email to email@example.com with the details and we will review it with the vendor to determine if it's a false-positive and update the URL as needed.