Many attacks detonate post-delivery, meaning they easily get by email scanners and are only dangerous after the user clicks on the link. URL rewriting, along with time-of-click analysis, allows the security solution to analyze links and block them, as necessary.
Preventing such attacks means analyzing links both when the email is delivered and at click-time. This is important because some attackers enable the malicious content only after the email message has reached the inbox. Additionally, prevention means using the hacker's own obfuscation techniques as a way to identify the attack. Because the web-scanning algorithm looks for known obfuscation methods as Indicators of Attack (IoAs), these sites self-incriminate themselves by their usage of a hacking method.
Every time an end-user clicks on a link, the Click-Time Protection engine tests the website for reputation using HEC's URL Reputation and emulates the target website to detect zero-day phishing indicators using URL Emulation.
Emails that detonate post-delivery are designed to land in the inbox as clean and are only dangerous after clicking. If you don't re-write every URL, end-users will be affected by this.
Proper URL scanning has the following benefits:
Another layer of post-delivery protection
Anti-malware and enhanced protection for zero-day attacks, as sometimes it takes a few minutes to detect malicious emails
Implementing proper URL scanning that can detect the attacks like the ones mentioned above is a crucial part of any security structure.