URL Rewriting in Phishing Email

Created by Antonio Ortiz, Modified on Fri, 11 Sep 2020 at 08:34 AM by Jason Carreiro


Why is the teachable moment URL exposed in my Phishing simulation email?


URL Link Rewriting is a technique used by several email security companies to detect malicious links in emails.  

Example of a URL Defense Proofpoint Link Rewrite:

When a new email includes a URL, the link is rewritten on the fly to add a prefix to the original web address. For example, in the case of Proofpoint's Targeted Attack Protection:




The rewritten URL-encodes the original URL http-3A__amazon.com into a link that will redirect the user to Proofpoint's own servers urldefense.proofpoint.com with some unique codes to track the individual user and their clicks.

The primary purpose of URL rewriting is to catch malicious URLs that a mail filter might have missed when a filter first scanned an email. For example, if website www.perfectlyfine.com is believed to be safe when it is seen in a new email, but is compromised a few hours or even a few days later, the system can prevent the user from reaching the site because they are first redirected the prefix URL.

Policy Routes:

  • Policy-based routing is an essential part of defining mail flow for inbound, outbound and specific email types.
  • They are a set of rules and conditions applied to given messages that govern the handling of email, which helps strengthen email security.
  • By configuring a policy route, you can ensure that your Phishing Simulation URLs are not rewritten.
  • See instructions on creating a policy route, here.