Proofpoint URL Defense
Overview
Proofpoint URL Defense rewrites URLs in email messages to route clicks through Proofpoint's analysis infrastructure. When a user clicks a rewritten URL, Proofpoint performs real-time analysis of the destination before allowing or blocking access. This provides click-time protection - even if a URL was clean when the email was delivered, it will be analyzed again at the moment the user clicks.
URL Defense is a critical layer of protection because many attacks use time-delayed weaponization: a URL is clean when the email is sent but becomes malicious hours or days later.
Key Concepts
URL Rewriting
Proofpoint rewrites URLs in email bodies and HTML attachments. The rewritten URL format is:
https://urldefense.proofpoint.com/v2/url?u=<encoded_original_url>&d=<domain_key>&c=<context>&r=<recipient_hash>&m=<message_hash>&s=<signature>&e=
Version 3 format:
https://urldefense.com/v3/__<encoded_url>__;!!<encoded_chars>!<signature>$
URL Rewrite Components
| Component | Description |
|---|---|
u | URL-encoded original URL (v2) |
d | Domain key for the organization |
c | Context identifier |
r | Recipient hash |
m | Message hash |
s | HMAC signature for integrity |
e | Empty (reserved) |
Click-Time Analysis
When a user clicks a rewritten URL, Proofpoint performs:
- URL reputation check - Is this URL on known blocklists?
- Real-time sandbox - Load the page in a sandbox and check for malicious content
- Redirect chain following - Follow all redirects to the final destination
- Content analysis - Check for credential harvesting forms, drive-by downloads
- Verdict delivery - Allow, warn, or block based on analysis
Click-Time Verdicts
| Verdict | User Experience | Description |
|---|---|---|
allow | User proceeds to destination | URL is clean |
warn | Warning interstitial page | URL is suspicious but not confirmed malicious |
block | Block page shown | URL is confirmed malicious |
isolate | Opened in browser isolation | URL is risky, opened in safe container |
URL Encoding in v2
In the v2 rewrite format, the original URL is encoded:
-replaces/_replaces=- Standard URL encoding for other special characters
URL Encoding in v3
In the v3 format, the original URL uses a different encoding:
__delimiters surround the encoded URL- Special characters are encoded in the trailing
!!section - The
$terminates the URL
Field Reference
URL Analysis Fields
| Field | Type | Description |
|---|---|---|
originalUrl | string | The original URL before rewriting |
rewrittenUrl | string | The Proofpoint-rewritten URL |
verdict | string | allow, warn, block, isolate |
threatId | string | Threat ID if URL is malicious |
classification | string | malware, phish, spam, clean |
firstSeen | datetime | When the URL was first observed |
lastSeen | datetime | Most recent observation |
clickCount | int | Number of clicks on this URL |
blockCount | int | Number of times clicks were blocked |
redirectChain | string[] | Full redirect chain to final URL |
finalUrl | string | Final destination after redirects |
certificate | object | SSL certificate details of the destination |
Decoded URL Fields
| Field | Type | Description |
|---|---|---|
encodedUrl | string | The Proofpoint-rewritten URL provided |
decodedUrl | string | The original URL extracted |
version | string | Rewrite version (v2 or v3) |
valid | boolean | Whether the URL is a valid Proofpoint rewrite |
MCP Tools
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_url_decode | Decode a Proofpoint-rewritten URL | url |
proofpoint_url_analyze | Analyze a URL for threats | url |
proofpoint_url_get_clicks | Get click activity for a URL | url, sinceSeconds |
proofpoint_url_get_verdict | Get the current verdict for a URL | url |
proofpoint_url_batch_decode | Decode multiple URLs at once | urls[] |
Common Workflows
Decode a Rewritten URL
- User or analyst provides a Proofpoint-rewritten URL
- Call
proofpoint_url_decodewith the full rewritten URL - Return the original decoded URL
- Optionally call
proofpoint_url_analyzeto check the URL's current threat status
Investigate a Suspicious URL
- Call
proofpoint_url_analyzewith the URL - Review the verdict, classification, and redirect chain
- If malicious, call
proofpoint_url_get_clicksto see who clicked - Cross-reference with TAP click events for full context
- If the URL is being used in an active campaign, escalate to threat intelligence
Bulk URL Decoding
- Extract all Proofpoint-rewritten URLs from an email or document
- Call
proofpoint_url_batch_decodewith the array of URLs - Review the decoded URLs for any suspicious destinations
- Check each decoded URL against threat intelligence
Click Activity Investigation
- Identify a suspicious URL from TAP events or quarantine
- Call
proofpoint_url_get_clickswith the URL - Review which users clicked and when
- Check whether clicks were permitted or blocked
- For permitted clicks, assess whether credentials may be compromised
- Initiate password resets for users who clicked on credential harvesting URLs
URL Verdict Monitoring
- Call
proofpoint_url_get_verdictfor a URL that was previously clean - Check if the verdict has changed (URLs can become malicious after delivery)
- If the verdict changed to
block, check if any users received emails containing the URL - If users received the URL before it was blocked, initiate search-and-destroy
URL Decoding Reference
Manual v2 Decoding
To manually decode a v2 Proofpoint URL:
- Extract the
u=parameter value - Replace
-with/ - Replace
_with= - URL-decode the result
Input: https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_path-3Fparam-3Dvalue&d=...
Step 1: https-3A__example.com_path-3Fparam-3Dvalue
Step 2: https-3A//example.com/path-3Fparam-3Dvalue
Step 3: https-3A//example.com/path-3Fparam=value
Step 4: https://example.com/path?param=value
Manual v3 Decoding
To manually decode a v3 Proofpoint URL:
- Extract the content between
__delimiters - Decode special characters from the
!!section - Replace encoded characters in the URL
Input: https://urldefense.com/v3/__https://example.com/path__;!!ABC123!def$
Output: https://example.com/path
Note: Always use the proofpoint_url_decode tool rather than manual decoding to ensure accuracy.
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid URL format | Ensure the URL is a valid Proofpoint-rewritten URL |
| 400 | Unsupported URL version | Only v2 and v3 formats are supported |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | URL Defense API not enabled | Ensure your license includes URL Defense API |
| 404 | URL not found | The URL may not have been processed by Proofpoint |
| 429 | Rate limit exceeded | Implement backoff |
Decoding Failures
| Issue | Cause | Resolution |
|---|---|---|
| Invalid signature | URL was modified after rewriting | The URL may have been truncated or altered |
| Unknown version | URL does not match v2 or v3 format | It may not be a Proofpoint URL |
| Expired URL | URL is older than the retention period | Original URL cannot be recovered from the API |
Best Practices
- Always use the API to decode - Manual decoding is error-prone; use
proofpoint_url_decode - Check verdicts at click time - A URL clean at delivery may be malicious when clicked
- Monitor click activity - Track which users are clicking rewritten