In URL Protection you can choose what happens to messages that contain malicious links.
Malicious URL scan
Messages that contain known and verified threats are separated into those that contain known malware or viruses, and those that contain known malicious links.
In Malicious URL scan you can choose what to do with messages that contain malicious links.
If you select Include in End User Quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.
Time of Click URL Protection
This is available with an Email Advanced license only and is turned on by default.
When Time of Click URL Protection is turned on, URLs contained within inbound messages are rewritten to point to Sophos Email Security instead of the original destination.
When you click the link, Sophos Email Security performs an SXL lookup, and if it's malicious, it's blocked. If the URL is clean, the action taken when you click the link depends on what you've specified in your policies. For example, if you've set medium risk websites as allowed, when the link is checked and classified as not malicious, the link takes you to the original link destination.
If you hover over a rewritten link you can see the destination domain name at the start of the rewritten URL, in the format
d=domain.com. This means you can see where the link goes to.
Here's an example of a rewritten URL, with the domain highlighted after the Sophos server address.
Sophos Email Security can't re-evaluate an URL after it has been rewritten by another product.
You can select the action you want to take for websites with the following reputation levels:
- High risk: Includes illegal sites, sites containing malware, and phishing sites.
- Medium risk: Includes sites associated with spam and anonymizing proxies.
- Unverified: The reputation of the website can't be verified.
You can't allow high-risk websites.
URLs you add to the Time of Click allow list are never rewritten at time of click.
You can also control whether URLs are rewritten in plain text messages and within securely signed messages:
- Plain text messages: refers to emails with no HTML formatting. Without HTML formatting, the entire encoded URL shows in the email when URL rewriting is turned on. You can bypass URL re-writing in these messages by deselecting the Re-write URLs in plain text messages. option.
- Securely signed messages: URL re-writing may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL re-writing in these messages by deselecting the Re-write URLs within securely signed messages. option.
Be careful if you choose to bypass URL re-writes, as URLs in these messages won't be protected.
See URL allow list.
If you turn on Time of Click URL Protection, and are using a Google email server, you may see DMARC failures reported for inbound messages.
This might be because Google doesn't consistently process emails from IP addresses in its Gateway IPs list. To check your email settings and find out more, see Restrict delivery to Sophos IP addresses.
We also quarantine messages that contain a very large number of URLs. The quarantine reason is Unscannable content. If you release one of these messages it's delivered and the URLs aren't rewritten. For security reasons we don't publish the limit we use.