Dynamic Link Scanning

What is Dynamic Link Scanning?

Dynamic Link Scanning, also popularly known as URL Rewriting, Time-of-Click Analysis and Click-Time Verification, is arguably the most valuable of the post-filter services that UpStream provides.

Dynamic Link Scanning protects against a very cunning type of attack, wherein links contained within emails lead to perfectly innocuous websites at the time they are sent, in order to bypass email filters that check each linked website out for malicious content.

However, seconds or minutes after such an email is sent, scanned and delivered to the recipient, the linked website’s page is changed to one with malicious content by the attacker. When the user then clicks on that link, they become susceptible to whatever the attacker has in store for them, whether that’s malware, drive-by downloads, credential harvesting or worse.

How does Dynamic Link Scanning work?

For every email that comes through UpStream, all links are being checked already via the Anti-Phishing and Anti-Virus engines, along with deeper analyses in the Sandboxing phase. Dangerous links are already seized at this phase and blocked entirely, with any links deemed safe rewritten with a special nested URL that triggers a real-time scan of the destination webpage when clicked by the user.

This real-time scan, or dynamic link scan, takes place upon any click of a rewritten URL, both from the time after the user received the email and well into the future, ensuring that no matter when the link is clicked, the user will be protected.

The linked page is automatically scanned for threats by UpStream’s regular protection stack and if the website is found safe (especially any scripts or redirects it may have), the user is automatically directed to it as per normal and without any onerous delays that many other services have. If the website is found to be dangerous however, the user will be blocked from navigating to it further with a customizable page specifying the danger and, at an administrator’s discretion, presented with additional options on what they can do.

UpStream’s version of Dynamic Link Scanning is known as Link Lock, with the idea that any “link” has been locked away and our dynamic scan of the linked website triggered upon clicking that link instead.

Key Features:

●     Time-of-Click Protection: Scans all inbound email links at the exact moment they are clicked, ensuring safety prior to access.

●     Comprehensive Coverage: Links remain fully protected at all times, regardless of when the email was received or clicked.

●     Proven Availability: Deployed across multiple AWS regions and availability zones for fast, reliable service.

●     Customizable Security Policies: Organizations can set “allowed URLs” lists, ensuring flexibility and control over internal security policies.

●     User-Friendly Alerts: If a link is identified as malicious, users are redirected to a warning page with options for safe navigation. These alerts are fully customizable by the organization.

●     Seamless Integration: This additional layer of security does not disrupt a user’s workflow.

What can Dynamic Link Scanning do for me?

Dynamic Link Scanning’s protection is one of the most potent mitigation techniques for phishing, spoofing and various malware delivery sites, protecting your users even after the emails are delivered.

Preventing even one phishing attempt can save an administrator a major headache and weeks to months of recovery and damage control, let alone the hundreds to thousands of these that could be encountered daily for each organization.

As the popular cybersecurity saying goes: “the enemy only has to succeed once; defenders must be ever-vigilant.”

An example of a URL that has been rewritten by Dynamic Link Scanning is below.

Hovering over the original link shows a newly embedded dynamic analysis link that checks the site before allowing the user to reach it, and if malicious content is found, bars them from accessing it.

Customize the logo, block page header text and message warning the user about the dangers of what they clicked on for on-the-fly education of the user not to just click anything they are sent without due diligence.

Specify whether you’d like the user to see the URL they were blocked from going to or not, and offer the ability to Continue to the Site if needed.

What does it look like when someone clicks on a rewritten link?

Two different example block pages of what happens when a user clicks on a link that leads to a malicious website are pictured below.

Selecting the Show More link provides visibility into the actual endpoint URL and can offer the ability to continue to click through, if needed. Both options are entirely configurable.