What is Time of Click URL protection?
03/26/2020 8 6274
Available in firmware 10.0.x and newer, Time of Click URL protection rewrites unknown URLs found in the subject and body of inbound and outbound email messages. It detects malicious URLs in real-time when the user clicks on the URL. This is an incremental URL protection feature added to the previously available Advanced URL Protection feature that detected malicious URLs during the email delivery at the gateway. This feature is activated by default for customers having a Capture ATP license.
To use this feature:
- Navigate to MANAGE | Security Services | Time of Click.
- Under Basic Setup Checklist, there are two choices:
- To enable the feature for inbound messages, click the circle next to URL rewriting for inbound email is disabled.
- To enable the feature for outbound messages, click the circle next to URL rewriting for outbound email is disabled.
- Once the URL has been rewritten and the capture service has determined that it is a threat and should not go further, a default block page pops up and prevents the user from continuing.
- To customize the Block Page text, under Configure Block Page, check the box next to "The block page should not allow the email recipient to proceed to the original URL" and, in the text box, type the optional text to be displayed at the bottom of the blocked page.
- Click Submit.
- Under Exception Management specify the email addresses of people (senders) and companies (sender domains) that do not need to be rewritten.
- Click on the Inbound or Outbound tabs and then click on Add Exception to type in the popup text box the email addresses and URL domains that do not need to be rewritten.
- The following types of addresses and URL domains can be specified:
- Sender email address
- Recipient email address
- Sender email domain
- URL Domain
- IP Address
- Click Add when done or Cancel to cancel your selection.
SonicWall Capture ATP – URL Analysis
- Scans for URL downloading malicious files
- Looks for malicious content on the URL page
- Looks for URL page behavior
User clicks rewritten URL:
- A secure HTTPS session redirects user to the Capture web service
- Time of click anti-phishing API
- Time of click check against Capture thumbprints with analysis verdict available at ToC
Based on judgement, the user is either directed to the clean URL or receives a block page for a malicious/phishing URL with an option to proceed at their own risk.