Do email security software solutions click hyperlinks in emails?

Summary

Email security solutions actively analyze hyperlinks in emails using a variety of techniques to protect users and gather threat intelligence. This analysis includes following links to check the destination and content, URL detonation (visiting in a sandbox), scanning against blacklists, verifying website legitimacy, and assessing URL reputation. Some systems rewrite URLs for safe link handling, and advanced solutions emulate user clicks to observe website behavior. Dynamically generated URLs and click-tracking domains may receive increased scrutiny. Top solutions like Google Safe Browsing, Microsoft Defender Safe Links, Cisco Talos, Proofpoint URL Defense, and Barracuda Email Security Service employ these methods.

Key findings

  • Active Link Analysis: Email security solutions actively analyze links in emails.
  • Multiple Techniques: Analysis methods include URL detonation, blacklisting, reputation scoring, and behavioral analysis.
  • Safe Link Handling: Some systems rewrite URLs for safer link management.
  • Traffic Sampling: Some systems sample inbound traffic, leading to seemingly random clicks.
  • Threat Intelligence: Security vendors gather threat intelligence by visiting and analyzing links.

Key considerations

  • Dynamic URLs: Dynamically generated or serialized URLs may trigger more scrutiny.
  • Click-Tracking Domains: Click-tracking domains may increase the likelihood of analysis.
  • Impact on Metrics: Security software clicks can skew email engagement metrics.
  • Safe Destinations: Ensuring links point to safe and reputable destinations is crucial.

What email marketers say
13Marketer opinions

Email security software solutions actively click hyperlinks in emails for a variety of reasons, primarily to assess the safety and legitimacy of the linked content. This involves techniques like URL detonation (visiting the link in a sandbox), scanning against blacklists, analyzing for malware, verifying website legitimacy, and evaluating URL reputation. Some solutions also emulate user clicks to observe website behavior. Using click-tracking domains may trigger more scrutiny from these systems, while direct URLs may be less likely to be flagged. These actions are taken both to protect users from phishing and malware, and to gather threat intelligence.

Key opinions

  • Link Following: Email security platforms regularly follow links within emails to analyze their destinations.
  • URL Analysis: Techniques like URL detonation, blacklisting, malware scanning, and website legitimacy verification are employed.
  • Threat Intelligence: Security vendors actively visit links to gather threat intelligence and identify emerging threats.
  • Click Emulation: Some advanced systems emulate user clicks to observe the behavior of the linked website.
  • Pattern Sampling: Security software might sample inbound traffic, leading to seemingly random clicks.

Key considerations

  • Dynamic URLs: Dynamically generated or serialized URLs can trigger more scrutiny due to varying link patterns.
  • Click-Tracking Domains: Using click-tracking domains may increase the likelihood of analysis by security systems as the destination is hidden.
  • Direct URLs: Avoiding click-tracking domains and using direct URLs might reduce scrutiny from security scanners.
  • Impact on Analytics: Clicks from security software can skew email engagement metrics, especially website traffic data.
Marketer view

Marketer from Email Geeks answers yes, email security platforms regularly follow links.

May 2023 - Email Geeks
Marketer view

Email marketer from PhishingProtectionBlog.com shares that anti-phishing systems often crawl links in emails to detect and block phishing attacks.

December 2023 - PhishingProtectionBlog.com
Marketer view

Email marketer from EmailVendorReviewer.com shares that it is a common practice for email security solutions to scan all links in an email to ensure they are safe and do not lead to phishing sites or malware.

June 2022 - EmailVendorReviewer.com
Marketer view

Email marketer from SANS institute shares that determining the reputation of a URL and if it is associated with a known bad actor are techniques used to determine the safety of links in emails.

December 2022 - SANS Institute
Marketer view

Email marketer from Stack Overflow shares that security software often follows links to check for malicious content. This includes link reputation analysis and checking for phishing attempts.

October 2023 - Stack Overflow
Marketer view

Email marketer from InfosecCommunity.org explains that security vendors regularly visit links within emails as part of their threat intelligence gathering to identify and mitigate emerging threats.

April 2021 - InfosecCommunity.org
Marketer view

Marketer from Email Geeks shares if you don't use a click-tracking domain to hide the link destinations then you will be bothered less as the destination is obvious.

April 2022 - Email Geeks
Marketer view

Marketer from Email Geeks explains most of them just sample the inbound traffic so yes, there would not be a pattern.

January 2025 - Email Geeks
Marketer view

Marketer from Email Geeks explains if the URL is dynamically generated / serialised then that can cause issues because the filters see different links to the source, so they follow each one until they work it out.

November 2021 - Email Geeks
Marketer view

Email marketer from Reddit shares that many security solutions use 'URL detonation' which involves visiting the linked URL in a sandbox environment to analyze the page's behavior and content for threats.

June 2022 - Reddit
Marketer view

Email marketer from EmailSecurityForums.com explains that email security tools validate links by checking them against known blacklists, scanning for malware, and verifying the legitimacy of the destination website.

December 2023 - EmailSecurityForums.com
Marketer view

Email marketer from CyberSecurityForums.net shares that some advanced security solutions emulate user clicks on links to observe the behavior of the destination website and identify potential threats.

July 2022 - CyberSecurityForums.net
Marketer view

Email marketer from TechTarget explains that techniques such as static code analysis, dynamic analysis via sandboxing, and reputation lookups are used to examine URLs for potential threats.

March 2024 - TechTarget

What the experts say
2Expert opinions

Email security systems, especially those employing safe link handling techniques, often rewrite URLs and actively check the destination when a user clicks. Anti-spam systems also follow links to verify the destination and check for malicious content.

Key opinions

  • Safe Link Handling: Systems that rewrite URLs for safe link handling will actively check the destination upon clicking.
  • Anti-Spam Link Verification: Anti-spam systems may follow links to verify their destination and assess for malicious content.

Key considerations

  • Impact on Click Metrics: Link rewriting and destination checking can affect click metrics and reporting in email campaigns.
  • Safe Link Destinations: Ensuring links point to safe and reputable destinations is crucial to avoid being flagged by security systems.
Expert view

Expert from Word to the Wise shares that some systems, particularly those doing safe link handling, will rewrite URLs and check the destination when a user clicks.

January 2022 - Word to the Wise
Expert view

Expert from Spamresource.com explains that anti-spam systems may follow links in emails to verify the destination and check for malicious content. However, I wasn't able to find any direct answer about this topic on the specific page. But from the general content of this site I can assume the answer will be yes.

November 2024 - Spamresource.com

What the documentation says
5Technical articles

Leading email security solutions, including Google Safe Browsing, Microsoft Defender Safe Links, Cisco Talos, Proofpoint URL Defense, and Barracuda Email Security Service, actively analyze hyperlinks in emails. These systems often rewrite URLs, crawl websites, use sandboxing, and employ reputation scoring to identify and block malicious URLs, protecting users from phishing and malware.

Key findings

  • Active Link Analysis: Email security solutions actively analyze links in emails to identify potential threats.
  • URL Rewriting: Many systems rewrite URLs to monitor and control access to linked content.
  • Real-time Scanning: Links are often scanned in real-time when a user clicks to verify their safety.
  • Threat Blocking: Malicious URLs are blocked, and users are protected from phishing and malware.
  • Sandboxing & Reputation: Sandboxing and reputation scoring are used to analyze and assess the risk associated with URLs.

Key considerations

  • Impact on User Experience: URL rewriting and scanning can introduce latency and may affect the user experience.
  • False Positives: Legitimate links may be blocked if incorrectly identified as malicious.
  • Data Privacy: Analysis of links can raise concerns about data privacy and the monitoring of user activity.
Technical article

Documentation from Google explains Google Safe Browsing crawls websites to identify unsafe sites and adds them to blacklists. This includes analyzing links found in emails to protect users from phishing and malware.

November 2022 - Google
Technical article

Documentation from Microsoft shares that Microsoft Defender's Safe Links feature rewrites URLs in incoming email messages. When a user clicks a link, Safe Links verifies the URL before it's opened. If the URL is found to be malicious, a warning page is displayed.

February 2024 - Microsoft
Technical article

Documentation from Cisco explains that Talos employs sophisticated techniques to analyze links in emails, including sandboxing and reputation scoring, to identify and block malicious URLs.

January 2022 - Cisco
Technical article

Documentation from Proofpoint shares Proofpoint's URL Defense rewrites URLs. When a user clicks, it checks the destination in real-time. Malicious URLs are blocked, protecting users from threats.

March 2025 - Proofpoint
Technical article

Documentation from Barracuda states that Barracuda Email Security Service protects against malicious URLs by scanning links in real-time and blocking access to dangerous sites.

November 2023 - Barracuda