Click-Time Protection

Background

Avanan’s virtual Inline technology provides anti-phish protection for email after it has been scanned by Microsoft’s servers, but before it reaches the user’s inbox. In most cases, a malicious URL will be blocked before it is even seen by the user.

New attacks, however, use compromised servers that appear benign until after the message has been delivered. Click-time Protection checks a URL when the user clicks, blocking access should the website be malicious.

 

What is Click-Time Protection?

Click-Time Protection (CTP) is based on URL "rewrites". Every link within incoming emails is replaced with an Avanan URL. When anyone clicks on the link, Avanan tests the site before redirecting the user.

 

What Click-Time Protection Provides

  • Another layer of post-delivery protection
  • Enhanced protection for zero-day attacks, as sometimes it takes a few minutes to detect malicious emails
  • Forensics

Click-time Protection is available for Office 365 Mail and Gmail.

 

The unique positioning of Avanan

When security gateway replaces a URL - O365 ATP can’t scan it anymore. Avanan comes after ATP, and thus can replace URLs after ATP already scanned the email. As a result, CTP can be enabled in addition to ATP, as another layer of protection.

 

How it Works

Configuration

Click-Time Protection is a new security tool, available in the Avanan Security App Store.

click-time-1

 

When enabling Click-time Protection from the platform the admin has three options for how malicious sites should be handled by Avanan for the end-user:

  1. Do nothing and allow the user to go through to the site
  2. Completely prevent the user from visiting the site
  3. Display a warning to the user with the option for them to continue to the site.
clicktime-2

 

 

Then, a security policy needs to be created, using Click-Time Protection as a security tool.

Note that URL rewrite would only be applied when in inline mode.

clicktime-3

 

 

The policy users’ scope can be defined.

clicktime-4

 

 

It is also possible to define a special treatment for specific domains in the Click-Time Protection configuration screen:

  • Blacklist - add the URL to a list of URLs that will always get the block page (regardless of being malicious or not)
  • Whitelist - just the opposite, let the client pass through to the target URL
  • Ignore list - don't rewrite the URL at all
clicktime-5

 

 

Functionality

Once enabled, all links contained in an incoming email are replaced with an Avanan link. When the user clicks on the link, it triggers an immediate scan of the target site. If it is determined to be benign, the user continues without interruption. If it is determined to be malicious, the user is forwarded to a warning page.

clicktime-6

 

Depending upon the company’s policy choice, the user may be provided a link to the malicious page.

 

Forensics

Each stage of the Click-time Protection process is recorded for forensic and auditing purposes, from the original URL substitution event to the result of the time-of-click scan. If configured in ‘warning only’ mode, user clicks of the continue link are recorded.

Click events are recorded in a new type of event - “Malicious Url Click”. Make sure to check the new type in the event types selection.

For multiple recipients - each click would generate an event. Events are aggregated by default.

clicktime-7

 

 

The Email page now includes "Send Original Email" button. It allows releasing the original email to the mailbox (while the rewritten email remains untouched).

clicktime-8