This guide describes what happens when end users click on URL links embedded in inbound mail. The following behaviors are dependent on the settings configured by your administrator in a URL Protect Definition.
Mimecast's Targeted Threat Protection - URL Protection service re-writes the URL links, including those found in .TXT and .HTML attachments. A layered security check is performed on the destination site when users click on a link from a message. In addition following the initial URL link check, Mimecast determines if the link downloads to a file directly and scans for potentially malicious content in the file.
- If the link is considered safe, users are redirected to the original destination site without intervention.
- If the link is considered unsafe, the messages a user receives depends on the settings configured by the administrator.
When a user clicks on a link, they will initially be presented with a security check message in their browser. This is used for all URLs that are clicked on prior to any checks being conducted.
If the security check is delayed after the user is presented with the initial browser message, an email is sent to their inbox containing further details of the detection. The user is notified of this delay in their browser, so they know to expect the follow up message.
Scanned URLs in Mail and Attachments
- If the account has been configured to block all unsafe URLs when they are detected, users are not taken to the URL's destination site. Instead, they receive the notification displayed on the right in their browser.
The threat is displayed, but users have no option but to close the browser window. They can click on the Show More link in the dialog for more information on why the link was considered unsafe.
- If the account has been configured to warn users when an unsafe link is detected, the user is not taken to the original destination. Instead, they receive the following notification in their browser, allowing them to choose whether it's safe to proceed:
The threat is displayed, but users have the option to click on the Accept Risk and Continue button. Safety Tips will also appear at random within these messages to provide additional security information. Users can click on the Previous or Next buttons to view more tips.
Scanned URLs to File Downloads
If the "URL File Download" check is enabled in the URL Protection Definition, Mimecast scans for potentially malicious content in files that download directly when a user clicks on a link. The following file types are searched for:
Following the security scan, if one of the file types listed above is detected, one of three actions can take place. This depends on the "Action" settings configured in the URL Protection Definition.
- If the account has been configured to warn users when a file is detected, the user receives the following notification in their browser. They can choose to click on the Accept Risk and Download button to continue if they feel the download is safe.
- If the account has been configured to block users when a file download is detected, the user receives the following notification in their browser. This page lets the user know that access to the download is blocked, and they should contact their administrator for more information.
- If you are using sandboxing with Attachment Protect, we'll send the attachment to the sandbox before releasing it to the end user. If the file is determined to be harmful, the block message from point 2 displays. If the file is clean, the following page displays. The user can access the file download directly by clicking on the Download button.
For Journal and Outbound mail, the only option is to sandbox any detected files to determine if they are harmful or safe before notifying the user.