Proofpoint URL Defense | proofpoint

Stats

Actions

Tags

Proofpoint URL Defense | proofpoint

Proofpoint URL Defense

Overview

Proofpoint URL Defense rewrites URLs in email messages to route clicks through Proofpoint's analysis infrastructure. When a user clicks a rewritten URL, Proofpoint performs real-time analysis of the destination before allowing or blocking access. This provides click-time protection - even if a URL was clean when the email was delivered, it will be analyzed again at the moment the user clicks.

URL Defense is a critical layer of protection because many attacks use time-delayed weaponization: a URL is clean when the email is sent but becomes malicious hours or days later.

Key Concepts

URL Rewriting

Proofpoint rewrites URLs in email bodies and HTML attachments. The rewritten URL format is:

https://urldefense.proofpoint.com/v2/url?u=<encoded_original_url>&d=<domain_key>&c=<context>&r=<recipient_hash>&m=<message_hash>&s=<signature>&e=

Version 3 format:

https://urldefense.com/v3/__<encoded_url>__;!!<encoded_chars>!<signature>$

URL Rewrite Components

Component	Description
`u`	URL-encoded original URL (v2)
`d`	Domain key for the organization
`c`	Context identifier
`r`	Recipient hash
`m`	Message hash
`s`	HMAC signature for integrity
`e`	Empty (reserved)

Click-Time Analysis

When a user clicks a rewritten URL, Proofpoint performs:

URL reputation check - Is this URL on known blocklists?
Real-time sandbox - Load the page in a sandbox and check for malicious content
Redirect chain following - Follow all redirects to the final destination
Content analysis - Check for credential harvesting forms, drive-by downloads
Verdict delivery - Allow, warn, or block based on analysis

Click-Time Verdicts

Verdict	User Experience	Description
`allow`	User proceeds to destination	URL is clean
`warn`	Warning interstitial page	URL is suspicious but not confirmed malicious
`block`	Block page shown	URL is confirmed malicious
`isolate`	Opened in browser isolation	URL is risky, opened in safe container

URL Encoding in v2

In the v2 rewrite format, the original URL is encoded:

- replaces /
_ replaces =
Standard URL encoding for other special characters

URL Encoding in v3

In the v3 format, the original URL uses a different encoding:

__ delimiters surround the encoded URL
Special characters are encoded in the trailing !! section
The $ terminates the URL

Field Reference

URL Analysis Fields

Field	Type	Description
`originalUrl`	string	The original URL before rewriting
`rewrittenUrl`	string	The Proofpoint-rewritten URL
`verdict`	string	`allow`, `warn`, `block`, `isolate`
`threatId`	string	Threat ID if URL is malicious
`classification`	string	`malware`, `phish`, `spam`, `clean`
`firstSeen`	datetime	When the URL was first observed
`lastSeen`	datetime	Most recent observation
`clickCount`	int	Number of clicks on this URL
`blockCount`	int	Number of times clicks were blocked
`redirectChain`	string[]	Full redirect chain to final URL
`finalUrl`	string	Final destination after redirects
`certificate`	object	SSL certificate details of the destination

Decoded URL Fields

Field	Type	Description
`encodedUrl`	string	The Proofpoint-rewritten URL provided
`decodedUrl`	string	The original URL extracted
`version`	string	Rewrite version (`v2` or `v3`)
`valid`	boolean	Whether the URL is a valid Proofpoint rewrite

MCP Tools

Tool	Description	Key Parameters
`proofpoint_url_decode`	Decode a Proofpoint-rewritten URL	`url`
`proofpoint_url_analyze`	Analyze a URL for threats	`url`
`proofpoint_url_get_clicks`	Get click activity for a URL	`url`, `sinceSeconds`
`proofpoint_url_get_verdict`	Get the current verdict for a URL	`url`
`proofpoint_url_batch_decode`	Decode multiple URLs at once	`urls[]`

Common Workflows

Decode a Rewritten URL

User or analyst provides a Proofpoint-rewritten URL
Call proofpoint_url_decode with the full rewritten URL
Return the original decoded URL
Optionally call proofpoint_url_analyze to check the URL's current threat status

Investigate a Suspicious URL

Call proofpoint_url_analyze with the URL
Review the verdict, classification, and redirect chain
If malicious, call proofpoint_url_get_clicks to see who clicked
Cross-reference with TAP click events for full context
If the URL is being used in an active campaign, escalate to threat intelligence

Bulk URL Decoding

Extract all Proofpoint-rewritten URLs from an email or document
Call proofpoint_url_batch_decode with the array of URLs
Review the decoded URLs for any suspicious destinations
Check each decoded URL against threat intelligence

Click Activity Investigation

Identify a suspicious URL from TAP events or quarantine
Call proofpoint_url_get_clicks with the URL
Review which users clicked and when
Check whether clicks were permitted or blocked
For permitted clicks, assess whether credentials may be compromised
Initiate password resets for users who clicked on credential harvesting URLs

URL Verdict Monitoring

Call proofpoint_url_get_verdict for a URL that was previously clean
Check if the verdict has changed (URLs can become malicious after delivery)
If the verdict changed to block, check if any users received emails containing the URL
If users received the URL before it was blocked, initiate search-and-destroy

URL Decoding Reference

Manual v2 Decoding

To manually decode a v2 Proofpoint URL:

Extract the u= parameter value
Replace - with /
Replace _ with =
URL-decode the result

Input:  https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_path-3Fparam-3Dvalue&d=...
Step 1: https-3A__example.com_path-3Fparam-3Dvalue
Step 2: https-3A//example.com/path-3Fparam-3Dvalue
Step 3: https-3A//example.com/path-3Fparam=value
Step 4: https://example.com/path?param=value

Manual v3 Decoding

To manually decode a v3 Proofpoint URL:

Extract the content between __ delimiters
Decode special characters from the !! section
Replace encoded characters in the URL

Input:  https://urldefense.com/v3/__https://example.com/path__;!!ABC123!def$
Output: https://example.com/path

Note: Always use the proofpoint_url_decode tool rather than manual decoding to ensure accuracy.

Error Handling

Common API Errors

Code	Message	Resolution
400	Invalid URL format	Ensure the URL is a valid Proofpoint-rewritten URL
400	Unsupported URL version	Only v2 and v3 formats are supported
401	Authentication failed	Verify service principal and secret
403	URL Defense API not enabled	Ensure your license includes URL Defense API
404	URL not found	The URL may not have been processed by Proofpoint
429	Rate limit exceeded	Implement backoff

Decoding Failures

Issue	Cause	Resolution
Invalid signature	URL was modified after rewriting	The URL may have been truncated or altered
Unknown version	URL does not match v2 or v3 format	It may not be a Proofpoint URL
Expired URL	URL is older than the retention period	Original URL cannot be recovered from the API

Best Practices

Always use the API to decode - Manual decoding is error-prone; use proofpoint_url_decode
Check verdicts at click time - A URL clean at delivery may be malicious when clicked
Monitor click activity - Track which users are clicking rewritten URLs
Train users on rewritten URLs - Users should recognize Proofpoint-rewritten URLs as a security feature
Don't bypass URL Defense - Never instruct users to work around URL rewriting
Use browser isolation for risky clicks - Configure isolation for suspicious-but-not-confirmed URLs
Audit redirect chains - Multi-hop redirects are a common evasion technique
Batch decode for efficiency - When processing multiple URLs, use proofpoint_url_batch_decode
Retain decoded URLs - Log the original URLs for threat intelligence and IOC tracking
Combine with TAP data - Cross-reference URL analysis with TAP events for full visibility

Related Skills

Proofpoint TAP - Click tracking and threat events
Proofpoint Quarantine - Messages quarantined for malicious URLs
Proofpoint Forensics - Deep URL investigation
Proofpoint API Patterns - Authentication and rate limits