How Does Targeted Threat Protection - URL Protect Work?

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on Jul 11, 2019
Version 15Show Document
  • View in full screen mode

This guide describes what happens when end users click on URL links embedded in inbound mail. The following behaviors are dependent on the settings configured by your administrator in a URL Protect Definition.




Mimecast's Targeted Threat Protection - URL Protection service re-writes the URL links, including those found in .TXT and .HTML attachments. A layered security check is performed on the destination site when users click on a link from a message. In addition following the initial URL link check, Mimecast determines if the link downloads to a file directly and scans for potentially malicious content in the file.

If a rewritten URL is sent outbound through Mimecast, the URL reverts to its original form.

Checking LinkWhat happens next depends on whether the URL is considered safe or harmful:

  • If the link is considered safe, users are redirected to the original destination site without intervention.
  • If the link is considered unsafe, the messages a user receives depends on the settings configured by the administrator.


When a user clicks on a link, they will initially be presented with a security check message in their browser. This is used for all URLs that are clicked on prior to any checks being conducted. 

If the security check is delayed after the user is presented with the initial browser message, an email is sent to their inbox containing further details of the detection. The user is notified of this delay in their browser, so they know to expect the follow up message.

Scanned URLs in Mail and Attachments


TTP Blocked URL WarningIf enabled, Mimecast checks to ensure there are no malicious URLs contained in mail and attachments. One of the following actions takes place:

  • If the account has been configured to block all unsafe URLs when they are detected, users are not taken to the URL's destination site. Instead, they receive the notification displayed on the right in their browser. 

    The threat is displayed, but users have no option but to close the browser window. They can click on the Show More link in the dialog for more information on why the link was considered unsafe.
  • TTP Harmful URL WarningIf the account has been configured to warn users when an unsafe link is detected, the user is not taken to the original destination. Instead, they receive the following notification in their browser, allowing them to choose whether it's safe to proceed:

    The threat is displayed, but users have the option to click on the Accept Risk and Continue button. Safety Tips will also appear at random within these messages to provide additional security information. Users can click on the Previous or Next buttons to view more tips.


Scanned URLs to File Downloads


If the "URL File Download" check is enabled in the URL Protection Definition, Mimecast scans for potentially malicious content in files that download directly when a user clicks on a link. The following file types are searched for:

  • HTML
  • TXT
  • All Microsoft Office file formats
  • All Open Office file formats
  • Archived files in ZIP, BZIP, GZIP, JS,
    RAR, TAR, LHA, LZH and XZ format.
  • PDF
Users can download the scanned file via the email notification for 12 hours, after which time they will be taken through the checking process again.

Following the security scan, if one of the file types listed above is detected, one of three actions can take place. This depends on the "Action" settings configured in the URL Protection Definition.

  • If the account has been configured to warn users when a file is detected, the user receives the following notification in their browser. They can choose to click on the Accept Risk and Download button to continue if they feel the download is safe. 

  • If the account has been configured to block users when a file download is detected, the user receives the following notification in their browser. This page lets the user know that access to the download is blocked, and they should contact their administrator for more information.

  • If you are using sandboxing with Attachment Protect, we'll send the attachment to the sandbox before releasing it to the end user. If the file is determined to be harmful, the block message from point 2 displays. If the file is clean, the following page displays. The user can access the file download directly by clicking on the Download button.

    For Journal and Outbound mail, the only option is to sandbox any detected files to determine if they are harmful or safe before notifying the user.

See Also...


19 people found this helpful