Which corporate filter appliances or software follow links in emails?

Summary

Several corporate filter appliances and software actively follow links in emails to protect users from malicious content. Commonly mentioned solutions include Barracuda, Microsoft (Safe Links), Mimecast, Proofpoint, Avanan, Cisco Email Security Appliance, and Forcepoint Email Security. These systems employ techniques such as URL rewriting, sandboxing, and real-time analysis to assess the legitimacy of links before allowing users to access the destination. The level of aggressiveness and the specific methods used vary between providers.

Key findings

  • Prominent Solutions: Barracuda, Microsoft Safe Links, Mimecast, Proofpoint, Avanan, Cisco Email Security Appliance, and Forcepoint Email Security are consistently cited as solutions that follow links.
  • URL Rewriting: URL rewriting is a prevalent technique where original URLs are replaced with the security vendor's URL for analysis.
  • Sandboxing & Analysis: Many systems use sandboxing or virtual environments to analyze links and determine if they are malicious.
  • Time-of-Click Protection: Solutions like Microsoft Safe Links and Mimecast URL Protect provide time-of-click verification to block malicious URLs in real-time.
  • Aggressiveness Variation: The aggressiveness of link following varies; some solutions like Proofpoint are more aggressive, while others are configurable.

Key considerations

  • Resource Implications: Link following is resource-intensive, so providers have different thresholds and implement it based on cost and performance considerations.
  • Configuration Needs: The effectiveness of Microsoft Safe Links and other configurable solutions depends on proper configuration by the administrator.
  • Identifying Entities: Accurately identifying the specific entity clicking a link is challenging due to various factors like timing, location, and user agent.
  • Potential Skewing: Link following by security systems can skew email marketing metrics. It's necessary to filter this traffic for accurate reporting.
  • False Positives: Aggressive link following might lead to false positives; therefore, continuous monitoring and adjustment are essential.

What email marketers say
13Marketer opinions

Several corporate filter appliances and software actively follow links in emails for security purposes. These solutions aim to identify and prevent malicious content from reaching end-users. Common appliances that perform this function include Barracuda, Microsoft (Safe Links), Mimecast, Proofpoint, Avanan, and Cisco Email Security Appliance. The techniques used involve URL rewriting, sandboxing, and destination analysis, with some solutions being more aggressive in their link-following approach than others.

Key opinions

  • Common Appliances: Barracuda, Microsoft (Safe Links), Mimecast, Proofpoint, Avanan, and Cisco Email Security Appliance are frequently mentioned as solutions that follow links.
  • URL Rewriting: URL rewriting is a common technique where original URLs are replaced with a security vendor's URL for analysis before redirection.
  • Aggressiveness Varies: Some solutions, like Proofpoint, are considered more aggressive in clicking every link, while others have configurable settings.
  • Sandboxing & Analysis: Many systems utilize sandboxing or virtual environments to analyze the legitimacy of links.
  • Educational Addresses: There are reports of unidentified entities specifically targeting and clicking links in emails sent to educational addresses.

Key considerations

  • Configuration Settings: Microsoft Safe Links' behavior depends on the administrator's settings; ensure appropriate configuration for desired security levels.
  • Impact on Metrics: Link following by security appliances can skew email marketing metrics; consider filtering bot traffic for accurate reporting.
  • False Positives: Aggressive link following may lead to false positives; monitor and adjust settings to minimize disruptions.
  • Identification Challenges: Determining definitively what is clicking a link is complex. Factors such as timing, location, and user agent can offer clues, but attributing clicks is complex
Marketer view

Email marketer from Reddit mentions that several email security solutions like Proofpoint, Mimecast, and Microsoft Defender ATP (Safe Links) actively scan and follow links in emails.

January 2022 - Reddit
Marketer view

Marketer from Email Geeks explains that Microsoft will follow links depending on the admin's settings using Safe Links.

March 2022 - Email Geeks
Marketer view

Marketer from Email Geeks shares that Barracuda often follows links in emails.

February 2022 - Email Geeks
Marketer view

Email marketer from Spiceworks Community mentions that Avanan also checks links.

March 2025 - Spiceworks Community
Marketer view

Email marketer from StackExchange explains that to detect malicious links, systems utilize URL rewriting and destination analysis using a sandbox or link-following approach.

April 2021 - StackExchange
Marketer view

Email marketer from Reddit details that many email security systems use sandboxing or link following in a virtual environment to assess the legitimacy of a link.

July 2021 - Reddit
Marketer view

Email marketer from Spiceworks Community shares that Barracuda Link Protection will follow links in emails to check for malicious content.

May 2023 - Spiceworks Community
Marketer view

Email marketer from Reddit states that solutions like Avanan, Proofpoint, Mimecast, Barracuda, and Microsoft ATP scan URLs in emails for malicious content.

September 2021 - Reddit
Marketer view

Email marketer from Spiceworks Community says that Proofpoint is very aggressive and clicks every link in every email.

May 2021 - Spiceworks Community
Marketer view

Email marketer from TechTarget explains that email security gateways often include features that scan and analyze URLs in emails, including following the links to check for malicious content before delivery to the user.

January 2024 - TechTarget
Marketer view

Email marketer from Experts Exchange mentions that common appliances such as Cisco Email Security Appliance, Proofpoint, and Mimecast can be configured to follow links.

August 2022 - Experts Exchange
Marketer view

Email marketer from Reddit notes that URL rewriting is a common technique used by security appliances where the original URL is replaced with a URL from the security vendor which is then checked before redirecting the user to the original site.

October 2022 - Reddit
Marketer view

Marketer from Email Geeks shares that Barracuda and Microsoft are the most frequent to check links in emails. Mentions also seeing Mimecast do it. They also note an unidentified entity clicking emails sent to educational addresses.

October 2022 - Email Geeks

What the experts say
6Expert opinions

Email security solutions actively analyze links in emails, employing techniques like URL rewriting and inspection. Prominent vendors like Proofpoint, Microsoft, Mimecast, and Barracuda are frequently cited, with Cisco potentially offering similar capabilities. The extent of link-following depends on the provider, balancing security with resource constraints. Identifying the specific entity clicking links presents a significant challenge, further complicating analysis.

Key opinions

  • Key Vendors: Proofpoint, Microsoft, Mimecast, and Barracuda are identified as providers that follow links in emails.
  • URL Rewriting: Solutions like Proofpoint URL Defense rewrite URLs to analyze them before redirection, effectively following the link.
  • Cost Considerations: All providers have the ability to follow links, but implement different thresholds due to the expense in resources and time.
  • Link Inspection: Most providers do link inspection on some level, but limit it to borderline emails due to the cost.
  • Identification Difficulty: Identifying exactly what is clicking a link is challenging due to various factors.

Key considerations

  • Threshold Management: Each provider has different thresholds for link following, which may need adjusting based on organizational needs.
  • Aggressiveness Identification: Barracuda is noted as being more aggressive and easier to identify as a link-following provider.
  • Attribution Complexity: Factors like timing, location, and user agent complicate accurately attributing link clicks to specific sources.
  • Resource Implications: Link following is resource-intensive; balancing thorough inspection with performance is crucial.
Expert view

Expert from Email Geeks shares that Proofpoint follows links and rewrites URLs. Also names Microsoft, Mimecast, and Barracuda as well. They believe Symantec has this feature as well.

October 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that all providers have the *ability* to follow links, but they have different thresholds for when to do it because it's expensive in terms of resources and time.

August 2024 - Email Geeks
Expert view

Expert from Word to the Wise discusses the challenges and nuances of link clicking by security systems, emphasizing that it's difficult to determine definitively what is clicking a link. Factors such as timing, location, and user agent can offer clues, but attributing clicks is complex.

September 2023 - Word to the Wise
Expert view

Expert from Email Geeks shares that Barracuda is one of the more aggressive (and easier to identify) link following providers.

November 2024 - Email Geeks
Expert view

Expert from Email Geeks suggests Cisco may also follow links. States most providers do link inspection on some level but limit it due to expense, applying it more to borderline emails.

June 2021 - Email Geeks
Expert view

Expert from Spam Resource mentions Proofpoint URL Defense as a solution that rewrites URLs in email messages. This rewrite allows Proofpoint to analyze the links when clicked, directing users through Proofpoint's servers before redirecting to the actual destination. If the link is deemed malicious during the analysis, access can be blocked. This effectively confirms Proofpoint's system follows links.

June 2021 - Spam Resource

What the documentation says
5Technical articles

Several email security solutions, including Microsoft Defender for Office 365's Safe Links, Mimecast URL Protect, Proofpoint TAP URL Defense, Cisco Email Security Appliance, and Forcepoint Email Security, employ link following as a security measure. These systems rewrite URLs, analyze them at the time of click, and block access to malicious sites, leveraging sandboxing and URL analysis.

Key findings

  • Time-of-Click Verification: Microsoft Safe Links provides time-of-click verification of web addresses to protect against malicious URLs.
  • URL Rewriting & Scanning: Mimecast URL Protect rewrites URLs and scans them at the time of click to protect users.
  • Sandboxing & Blocking: Proofpoint TAP URL Defense rewrites URLs, analyzes them in a sandbox, and blocks access to malicious URLs.
  • Configurable Analysis: Cisco Email Security Appliance can be configured to perform URL analysis and rewrite URLs.
  • Malicious Content Check: Forcepoint Email Security analyzes URLs and follows links to check for malicious content.

Key considerations

  • Proactive Protection: These solutions offer proactive protection against malicious URLs in email messages.
  • Real-Time Analysis: The systems analyze URLs at the time of the click, providing real-time protection.
  • Comprehensive Security: The solutions leverage techniques like URL rewriting, scanning, and sandboxing for comprehensive email security.
  • Configurability: The Cisco Email Security Appliance offers configurability, allowing administrators to tailor the URL analysis settings.
Technical article

Documentation from Forcepoint describes how Forcepoint Email Security can analyze URLs in emails and follow links to check for malicious content.

April 2024 - Forcepoint
Technical article

Documentation from Cisco explains that the Cisco Email Security Appliance can be configured to perform URL analysis and rewrite URLs for protection against malicious websites.

August 2024 - Cisco
Technical article

Documentation from Proofpoint explains that TAP URL Defense rewrites URLs, analyzes them in a sandbox environment, and blocks access to malicious URLs.

October 2023 - Proofpoint
Technical article

Documentation from Mimecast explains that URL Protect rewrites URLs and scans them at the time of click to protect users from malicious websites.

August 2023 - Mimecast
Technical article

Documentation from Microsoft Learn explains that Safe Links in Microsoft Defender for Office 365 proactively protects users from malicious URLs in email messages by providing time-of-click verification of web addresses.

September 2023 - Microsoft Learn