Dynamic Link Scanning

What is Dynamic Link Scanning?

Dynamic Link Scanning, also popularly known as URL Rewriting, Time-of-Click Analysis and Click-Time Verification, is arguably the most valuable of the post-filter services that UpStream provides.

Dynamic Link Scanning protects against a very cunning type of attack, wherein links contained within emails lead to perfectly innocuous websites at the time they are sent, in order to bypass email filters that check each linked website out for malicious content.

However, seconds or minutes after such an email is sent, scanned and delivered to the recipient, the linked website’s page is changed to one with malicious content by the attacker. When the user then clicks on that link, they become susceptible to whatever the attacker has in store for them, whether that’s malware, drive-by downloads, credential harvesting or worse.

How does Dynamic Link Scanning work?

For every email that comes through UpStream, all links are being checked already via the Anti-Phishing and Anti-Virus engines, along with deeper analyses in the Sandboxing phase. Dangerous links are already seized at this phase and blocked entirely, with any links deemed safe rewritten with a special nested URL that triggers a real-time scan of the destination webpage when clicked by the user.

This real-time scan, or dynamic link scan, takes place upon any click of a rewritten URL, both from the time after the user received the email and well into the future, ensuring that no matter when the link is clicked, the user will be protected.

The linked page is automatically scanned for threats by UpStream’s regular protection stack and if the website is found safe (especially any scripts or redirects it may have), the user is automatically directed to it as per normal and without any onerous delays that many other services have. If the website is found to be dangerous however, the user will be blocked from navigating to it further with a customizable page specifying the danger and, at an administrator’s discretion, presented with additional options on what they can do.

UpStream’s version of Dynamic Link Scanning is known as Link Lock, with the idea that any “link” has been locked away and our dynamic scan of the linked website triggered upon clicking that link instead.

To provide proper redundancy and the extremely high speed of this service, Dynamic Link Scanning is spread across three different Amazon Web Services (AWS) regions, with multiple Availability Zones configured within each region for edge-siting.

What can Dynamic Link Scanning do for me?

Dynamic Link Scanning’s protection is one of the most potent mitigation techniques for phishing, spoofing and various malware delivery sites, protecting your users even after the emails are delivered. Preventing even one phishing attempt can save an administrator a major headache and weeks to months of recovery and damage control, let alone the hundreds to thousands of these that could be encountered daily for each organization.

As it always goes: the enemy only has to succeed once; defenders must be ever-vigilant.

An example of a URL that has been rewritten by Dynamic Link Scanning is below.

Hovering over the original link shows a newly embedded dynamic analysis link that checks the site before allowing the user to reach it, and if malicious content is found, bars them from accessing it.

Customize the logo, block page header text and message warning the user about the dangers of what they clicked on for on-the-fly education of the user not to just click anything they are sent without due diligence.

Specify whether you’d like the user to see the URL they were blocked from going to or not, and offer the ability to Continue to the Site if needed.