Security Engines - Click-Time Protection

Avanan's virtual inline technology provides phishing protection for emails after they have been scanned by Microsoft servers, but before they reach the user’s mailbox.

New attacks have become more sophisticated and can generate phishing campaigns such that the phishing website they link to does not have any known bad reputation, sometimes for hours and days after the emails are sent.

Click-Time Protection works by replacing links. The replaced links point to the Avanan inspection services, so that  every time a user clicks on a link, the website behind the link is inspected to ensure it is not a phishing website.

Click-Time Protection uses these security engines for inspection.

• URL Reputation - Checks if the URL is known to be malicious or holds any malicious references.
• URL Emulation - Emulates the website to detect zero-day phishing websites

Benefits

• Most Up-to-Date Intelligence - Inspecting links when the user clicks on the URL allows to inspect the URL based on the latest inspection intelligence and software capabilities.
• Protection against zero-day phishing websites - Inspecting links when the user clicks on the URL allows to follow the user into the website. Click-Time Protection then emulates the website to expose hidden Phishing indicators. So Phishing websites that are not known to be malicious are also flagged.
• Pointing out the users that clicked the malicious URL - Click-Time Protection forensics allows to detect the users that require further education and training to avoid clicking on malicious links.

Note - Click-Time Protection is available for Office 365 email and Gmail.

Interaction with Microsoft ATP

When other Secure Email Gateways (SEG) are deployed in front of Office 365 (not via API), Microsoft Advanced Threat Prevention (ATP) will not be able to inspect the URLs as they were re-written.

However, as Avanan interacts with Microsoft through API, there is no interference with ATP. ATP inspects the URL before Avanan re-writes them. So, Click-Time Protection can be used in addition to ATP, as an additional layer of protection.

Configuring Click-Time Protection Engine

To configure Click-Time Protection engine:

1. Navigate to Configuration > Security Engines.
2. Choose Click-Time Protection and click Configure.
   
3. By default, URL Emulation is enabled. To disable URL Emulation, under Security Tools, clear the URL Emulation checkbox.
   Note - If the URL Emulation was disabled, and if the administrator enables it, it could take up to 20
   minutes for the URL Emulation to start working.
4. Under Workflow, select the required option to handle the malicious websites.
   • Prevent access to the malicious URL. User has option to proceed.
   • Prevent access to the malicious URL. User cannot proceed.
   • Do nothing
5. Under Advanced, select the required URL version (V1 or V2).
   Note - Avanan recommends using V2 version.
6. Click Save.

Notes:

• To start rewriting the links, you must configure a Click-Time Protection policy. To configure Click-Time Protection policy, see Configuring Click-Time Protection policy.
• To create Allow-List or Block-List for Click-Time Protection, see Click-Time Protection Exceptions.

Re-Written Avanan URL

The format of the rewritten Avanan URL is <click-time domain>_<original url>_<encrypted blob>. While configuring the Click-Time Protection engine, administrators can choose the <click-time domain> from
these versions:

• V1: https://avanan.url-protection.com/v1/
• V2: https://url.avanan.click/v2/

In the <click-time domain> V2 version, the original URL is surrounded by underscores, making it easier to identify the original (rewritten) URL. Also, the URL is shorter, and the domain is different from the V1 version.

Note - Avanan recommends using V2 version.

Validity of Rewritten URL

• Avanan inspects the website behind the rewritten URL only when you have a valid license.
  
• Rewritten URLs remain valid indefinitely, even when you do not have a valid license or when you delete the Avanan Portal.
  
• After the license expires, Avanan redirects the rewritten URL to the original URL without inspection.
• Avanan handles the rewritten URLs as described above regardless of the identity of the user that clicks the URL - internal user, external user, or unidentified user.
  Therefore, even if the email is forwarded to a user in your organization that is not protected by Avanan, this user's click is also secured by Avanan.

Replacing Links Inside Attachments - Supported File Types

If you configured the Click-Time Protection Policy to replace links inside the attachments, the links get replaced for these file types:

Click-Time Protection - End-User Experience

After configuring a  Click-Time Protection policy, Avanan replaces all URLs in the incoming emails and their attachments with a Avanan URL.

The URL also provides a tool-tip with the original URL, indicating that the link is protected by Avanan.

Note: Formatted tooltips are available on Microsoft Outlook for Mac, Outlook Web Access, and many other clients. Some clients, such as Outlook for Windows, limit the ability to present tooltips and will present the raw rewritten URL.

When a user clicks on the URL, Avanan checks the target URL.

• If the URL is not found to be malicious, the user will be redirected to the original URL.
  • If the URL is found to be malicious, the user is forwarded to a warning page.
  • If the workflow for malicious URLs is Prevent access to the malicious URL. User has option to proceed in the Click-Time Protection security engine, an additional Proceed anyway link will be available in the warning page.

Google Drive Preview Links

By default, in the Gmail interface, when there is a link to a file in Google Drive, the email shows the file preview as if it was attached to the email.

But, when Avanan rewrites the link, the file preview will not be showed.

Configuring Click-Time Protection Policy

To configure Click-Time Protection policy:

1. Navigate to Policy.
2. Click Add a New Policy Rule.
3. Select the desired SaaS application under Choose SaaS drop-down.
4. Select Click-Time Protection under Choose Security drop-down and click Next.
5. Choose Scope for the policy.
6. Under Links Replacing, choose where to replace the links for the email.
   • Email body
   • Email body and attachments
     
7. Under Severity, select the severity of the events generated by Click-Time Protection security engine.
   • Auto
   • Critical
   • High
   • Medium
   • Low
   • Lowest
8. Click Save and Apply.

Click-Time Protection Exceptions

Click-Time Protection allows to add exceptions to domains and URLs that need to be blocked, allowed, or ignored regardless of being malicious or not.

To configure Click-Time Protection exceptions:

1. Navigate to Configuration > Click-Time Protection Exceptions.
2. Click Add New Exception.
3. Under Domain, enter the required domain in the Domain pattern: domain.com format.
4. Choose the required exception type under List Name.
   • Block-list -Click-Time Protection engine automatically flags this URL as malicious without even scanning it.
   • Allow-list -Click-Time Protection engine automatically flags this URL as clean without even scanning it.
   • Ignore-list -Click-Time Protection engine will not replace this URL.
5. Click OK.

Forensics

Each stage of the Click-Time Protection process is recorded for forensic and auditing purposes, from the original URL replacement to the result of the time-of-click scan.

Click-Time Protection processes the events as Malicious Url Click and Proceed to Malicious Url.

• Malicious Url Click event is recorded when a user clicks on the rewritten URL and is redirected to the warning page.
• Proceed to Malicious Url event is recorded when the user clicks Proceed anyway in the warning page.

Note - Proceed to Malicious Url is available depending on your company’s policy.

For multiple recipients, each URL click would generate an event. Events are aggregated by default.

Viewing Emails with the Replaced Links

The Emails with Modified Attachments page shows emails with attachments, where the links in the attachments were replaced.

Note - The page does not show emails where links in the email body were replaced.

Viewing Replaced Links and User Clicks

• From the Email Profile page
  • Under Security Stack, for Click-Time Protection, administrators can view:
    • Replaced Links - All the links replaced by Click-Time Protection engine in the email body and its attachments
    • User Clicks – All the clicks performed by users (for clean and malicious websites)
      

• •  
  • Under Email Attachments, attachments with replaced links will be marked with a small icon.
    
• From the Attachment Info page, administrators can see all the Replaced Links in the attachment.
  

Note - The User Clicks can only be seen from the Email Profile page.

Determining which User Clicked a Link

Identification of the user that clicked a link is based on a cookie Avanan adds to the clicking user's browser.

Identification procedure:

1. When a user clicks on a replaced link in an email sent to only one email address (click number 1), Avanan adds a cookie to the user's browser.
2. If the user clicks (click number 2) on another replaced link in an email using the same browser within 30 days of the previous click, and the email is sent to the same email address, the user's identity will be linked to that browser.
3. Click number 2 and all future clicks on replaced links (that are opened on the same browser) within the next 365 days will be attributed to the user, regardless of the number of email recipients.
4. After 365 days from click number 1, the cookie is removed from the browser, and the procedure restarts.

Example: Every row in this table describes a click on a replaced link by John Smith: