Proofpoint Targeted Attack Protection URL Defense

Last updated: September 19, 2022

What is Proofpoint?

UW-IT has deployed Proofpoint, a leading email security vendor, to provide both spam filtering and email protection.  

In an effort to protect University Of Washington users, UW-IT has rolled out a feature within the University’s e-mail security product called Proofpoint Targeted Attack Protection (TAP) URL Defense.

Targeted Attack Protection

Proofpoint’s Targeted Attack Protection (TAP) helps protect against and provide additional visibility into phishing and other malicious email attacks.

How URL Defense Works

URL Defense scans incoming e-mail for known malicious hyperlinks and for attachments containing malware. This feature rewrites scanned URLs to Proofpoint’s standard URL format https://urldefense.com/. Once a link is rewritten, it is analyzed for any potential malicious content. If categorized as malicious you will be redirected to a block page upon accessing the link in your browser. URL Defense works behind-the-scenes, which means you do not need to do anything to activate or take advantage of the system.

How Does TAP Work?

Re-written links start with https://urldefense.com/.  The visible link text will appear in brackets (as seen below). If you hover your mouse over the link you can see the re-written link, as shown below:

Bracketed link:

When you hover over the bracketed link:

 

If you receive Plain-Text e-mails

When URL Defense detects a hyperlink in a plain-text e-mail (non-HTML), it will rewrite the URL in plain text. In this case, you will see the rewritten URL directly in the body of the e-mail. E-mails with HTML or rich text are most common, so Plain-Text rewrites will occur infrequently.

Blocked Messages

When you click a URL in an email message, the URL is redirected to Proofpoint’s cloud service. If the URL is not known to be malicious, you will be automatically redirected to the original URL. If the URL is malicious, you will see a warning message, and the site is blocked in your browser.

The block page will look similar to this:

If you forward an e-mail with a re-written link

Once URL Defense has rewritten a URL, if the message is forwarded or replied to, the URL will remain rewritten. Additional links added to the message being replied to or forwarded will not be rewritten.

What if a link was wrongly blocked and you actually need access? 

If a link is blocked, you can request the link be reviewed and the block removed if the website is not malicious. To request a review send an email to help@uw.edu with “URL Rewrite Block Removal” in the subject.

Is there an exception process for some URL’s to not be re-written?

At this time there are no exceptions for URL re-writing, in order to protect University assets and create a secure email environment all URL’s will be re-written. Currently, domains that end in uw.edu or washington.edu will not be rewritten but we are working with our vendor to re-write these as well.

PLEASE NOTE: While ProofPoint’s URL Defense mitigates the threat of malicious links in email, it doesn’t guarantee that every link contained in the incoming, external email to @uw.edu is safe to click. Please continue to exercise caution when inspecting URLs embedded in email.