Email Security. Photo: Cybercrime Magazine.

Email Security: URL Scanning Beyond The Basics

Time-of-click scanning, image and attachment analysis are essential

Gil Friedrich

New York City, N.Y. – Nov. 1, 2021

Many attacks detonate post-delivery, meaning they easily get by email scanners and are only dangerous after the user clicks on the link. URL rewriting, along with time-of-click analysis, allows the security solution to analyze links and block them, as necessary.

Consider a few attacks that have occurred over the last year. One is the so-called TattleToken script. Attackers use client-side scripts to determine the end user’s IP address and alter the URL to hide a malicious server from email service providers and security organizations. This effectively bypasses most post-delivery protections like O365 SafeLinks inbox retraction. Instead of putting the malicious URL in the email, hackers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. Queries from the intended victims are directed to the phishing server.

From the point of view of the security firms, the link in the email is just a simple redirect to a web server like Google. When the victim clicks on the same link, they are redirected to the malicious web server.

There’s also the general umbrella of SiteCloak attacks. SiteCloak is a way to bypass the time-of-click scanning by “cloaking” the malicious website. It does this by showing a benign page to the email security solution, but a realistic-looking credential harvesting page to the victim.

Cybercrime TV: Gil Friedrich, Founder & CEO at Avanan

Protecting Office 365 inboxes from phishing attacks

Preventing such attacks means analyzing links both when the email is delivered and at click-time. This is important because some attackers enable the malicious content only after the email message has reached the inbox. Additionally, prevention means using the hacker’s own obfuscation techniques as a way to identify the attack. Because the web-scanning algorithm looks for known obfuscation methods as Indicators of Attack (IoAs), these sites self-incriminate themselves by using a hacking method.

It also means doing image analysis. Consider the Microsoft Sway attack. Attackers used Sway, a web app for creating presentations and landing pages, to host phishing sites. Since Sway is hosted on, it bypasses URL filters. In the attack, hackers hyperlink to a malicious file or to a spoofed login page. By using Optical Character Recognition (OCR) to convert images to text, or to parse QR codes and identify the link, an advanced Natural Language Processing engine can then identify any suspicious language or malicious links.

It also means doing attachment analysis. This importance was seen in a fairly straightforward tax-related attack earlier this year.

The attackers tried to obfuscate their approach by changing the Reply-to address to, but the actual from address represents the IRS equivalent in Nigeria. By scanning all links in the attachment, we were able to determine with high confidence that the .HTML attachment was Trojan malware. 

Proper URL scanning has the following benefits:

  • Another layer of post-delivery protection
  • Enhanced protection for zero-day attacks, as sometimes it takes a few minutes to detect malicious emails
  • Forensics

A complete security solution has to have URL scanning that goes beyond the basics. That includes time-of-click scanning, image and attachment analysis. Implementing this keeps end-users safer, and it also takes out an effective method for hackers to bypass standard protections.

Implementing proper URL scanning that can detect the attacks like the ones mentioned above is a crucial part of any security structure.

Start a Demo to Experience the Power and Simplicity of Avanan

Avanan Archives

Gil Friedrich is co-founder and CEO at Avanan.

About Avanan 

Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to scan for phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite and other collaboration tools like Slack.

Avanan catches the advanced attacks that evade default and advanced security tools. Its invisible, multi-layer security enables full-suite protection for cloud collaboration solutions such as Office 365™, G-Suite™, and Slack™.  The platform deploys in one click via API to prevent Business Email Compromise and block phishing, malware, data leakage, account takeover, and shadow IT across the enterprise. Avanan replaces the need for multiple tools to secure the entire cloud collaboration suite, with a patented solution that goes far beyond any other Cloud Email Security Supplement.