Security Engines - Click-Time Protection

Avanan's virtual inline technology provides phishing protection for emails after they have been scanned by Microsoft servers, but before they reach the user’s mailbox.

New attacks have become more sophisticated and can generate phishing campaigns such that the phishing website they link to does not have any known bad reputation, sometimes for hours and days after the emails are sent.

Click-Time Protection works by replacing links. The replaced links point to the Avanan inspection services, so that  every time a user clicks on a link, the website behind the link is inspected to ensure it is not a phishing website.

Click-Time Protection uses these security engines for inspection.

  • URL Reputation - Checks if the URL is known to be malicious or holds any malicious references.
  • URL Emulation - Emulates the website to detect zero-day phishing websites

Benefits

  • Most Up-to-Date Intelligence - Inspecting links when the user clicks on the URL allows to inspect the URL based on the latest inspection intelligence and software capabilities.
  • Protection against zero-day phishing websites - Inspecting links when the user clicks on the URL allows to follow the user into the website. Click-Time Protection then emulates the website to expose hidden Phishing indicators. So Phishing websites that are not known to be malicious are also flagged.
  • Pointing out the users that clicked the malicious URL - Click-Time Protection forensics allows to detect the users that require further education and training to avoid clicking on malicious links.

Note - Click-Time Protection is available for Office 365 email and Gmail.

Interaction with Microsoft ATP

When other Secure Email Gateways (SEG) are deployed in front of Office 365 (not via API), Microsoft Advanced Threat Prevention (ATP) will not be able to inspect the URLs as they were re-written.

However, as Avanan interacts with Microsoft through API, there is no interference with ATP. ATP inspects the URL before Avanan re-writes them. So, Click-Time Protection can be used in addition to ATP, as an additional layer of protection.

Configuring Click-Time Protection Engine

To configure Click-Time Protection engine:

  1. Navigate to Configuration > Security Engines.
  2. Choose Click-Time Protection and click Configure.
    Click-Time-Protection
  3. By default, URL Emulation is enabled. To disable URL Emulation, under Security Tools, clear the URL Emulation checkbox.
    Note - If the URL Emulation was disabled, and if the administrator enables it, it could take up to 20
    minutes for the URL Emulation to start working.
  4. Under Workflow, select the required option to handle the malicious websites.
    • Prevent access to the malicious URL. User has option to proceed.
    • Prevent access to the malicious URL. User cannot proceed.
    • Do nothing
  5. Under Advanced, select the required URL version (V1 or V2).
    Note - Avanan recommends using V2 version.
  6. Click Save.

Re-Written Avanan URL

The format of the rewritten Avanan URL is <click-time domain>_<original url>_<encrypted blob>. While configuring the Click-Time Protection engine, administrators can choose the <click-time domain> from
these versions:

  • V1: https://avanan.url-protection.com/v1/
  • V2: https://url.avanan.click/v2/

In the <click-time domain> V2 version, the original URL is surrounded by underscores, making it easier to identify the original (rewritten) URL. Also, the URL is shorter, and the domain is different from the V1 version.

Note - Avanan recommends using V2 version.

Click-Time Protection - End-User Experience

Once enabled, all links contained in an incoming email are replaced with an Avanan link.

The link presents a tool-tip with the original URL, indicating that the link is protected by Avanan.

Note: Formatted tooltips are available on Microsoft Outlook for Mac, Outlook Web Access, and many other clients. Some clients, such as Outlook for Windows, limit the ability to present tooltips and will present the raw rewritten URL.

When the user clicks on the link Avanan checks the target URL. If it is determined to be benign, the user continues without interruption. If it is determined to be malicious, the user is forwarded to a warning page.

clicktime-6

 

Depending upon the company’s policy choice, the user may be provided a link to the malicious page.

Configuring Click-Time Protection Policy

To configure Click-Time Protection policy:

  1. Navigate to Policy.
  2. Click Add a New Policy Rule.
  3. Select the desired SaaS application under Choose SaaS drop-down.
  4. Select Click-Time Protection under Choose Security drop-down and click Next.
  5. Choose Scope for the policy.
  6. Under Links Replacing, choose where to replace the links for the email.
    • Email body
    • Email body and attachments
      Click-Time-Protection-1
  7. Under Severity, select the severity of the events generated by Click-Time Protection security engine.
    • Auto
    • Critical
    • High
    • Medium
    • Low
    • Lowest
  8. Click Save and Apply.

Click-Time Protection Exceptions

Click-Time Protection allows to add exceptions to domains and URLs that need to be blocked, allowed, or ignored regardless of being malicious or not.

To configure Click-Time Protection exceptions:

  1. Navigate to Configuration > Click-Time Protection Exceptions.
  2. Click Add New Exception.
  3. Under Domain, enter the required domain in the Domain pattern: domain.com format.
  4. Choose the required exception type under List Name.
    • Block-list -Click-Time Protection engine automatically flags this URL as malicious without even scanning it.
    • Allow-list -Click-Time Protection engine automatically flags this URL as clean without even scanning it.
    • Ignore-list -Click-Time Protection engine will not replace this URL.
  5. Click OK.

Forensics

Each stage of the Click-Time Protection process is recorded for forensic and auditing purposes, from the original URL substitution event to the result of the time-of-click scan.

Click-Time Protection processes the events as Malicious Url and Malicious Url Click.

  • Malicious Url event is recorded when a user clicks on the rewritten URL and is redirected to the warning page.
  • Malicious Url Click event is recorded when the user clicks Proceed anyway in the warning page.

Note - Malicious Url Click is available depending on your company’s policy.

For multiple recipients, each URL click would generate an event. Events are aggregated by default.

Viewing the replaced links and user clicks:

  • From the Email Profile page
    • Under Security Stack, for Click-Time Protection, administrators can view:
      • Replaced Links - All the links replaced by Click-Time Protection engine in the email body and its attachments
      • User Clicks – All the clicks performed by users (for clean and malicious websites)
        Click-Time-Protection-2
    •  
    • Under Email Attachments, attachments with replaced links will be marked with a small icon.
      Click-Time-Protection-3
  • From the Attachment Info page, administrators can see all the Replaced Links in the attachment.
    Click-Time-Protection-4
Note - The User Clicks can only be seen from the Email Profile page.