Support Center > Search Results > SecureKnowledge Details
CloudGuard SaaS - Click-Time URL Protection Technical Level
Solution
This page describes the Click-Time URL Protection (CTUP) feature in CloudGuard SaaS Threat Protection.

Table of Contents:

  • Introduction
  • User experience
    • Links in Emails
    • Click Time Protection Workflow
  • Events
  • Exceptions
  • Limitations

Introduction


CloudGuard SaaS protects emails against phishing attacks by inspecting all emails after they have been scanned by Microsoft (Office 365 Mail) or Google (Gmail). Through its inline mode, you can ensure that emails are inspected before delivery to the end-user mailbox, which is what happens when there is a malicious URL in the email.

However, more sophisticated attacks use compromised servers that appear benign when the email is delivered before switching the URL point to a malicious site after the fact. To neutralize such attacks, Click-time URL Protection (CTUP) evaluates URLs every time a user clicks on the rewritten link. If it is found to be malicious, the user will either be blocked from accessing it, or be able to proceed according to company policy. In that case, this action will be logged in CloudGuard SaaS portal.
 
Click-Time URL Protection is available for Office 365 Mail and Gmail.


How to activate CTUP in your CloudGuard SaaS portal


1. Log into the CloudGuard SaaS portal.

2. If your portal has 2 main tabs called Threat Protection and Identity Protection, navigate to Threat Protection\Config. Otherwise, navigate to Email & Storage\Config.

3. Under Config, select the menu Click Time Protection Settings. By default, the selected workflow should be Do Nothing. To activate the feature, select an alternative workflow. (Refer to the next section for end user experience based on the chosen workflow.)



4. Navigate to the Policy tab and click on Add New Policy Rule.

5. Select your cloud email app (Office 365 Mail or Gmail) and under Security choose ClickTime Protection.



6. Define the rule scope and expand the Advanced section to configure alerts. 

7. Click Save and Apply to finish.

User experience


To apply CTUP, CloudGuard SaaS rewrites the URLs in the email.
When a link is formatted as a hyperlink in an email, the end user sees no visible change.

In the example below, the email signature contains the hyperlink www.checkpoint.com and therefore shows up differently after it has been rewritten.



When links are not formatted as hyperlinks, the end-user sees the rewritten URL.
In the example below, the email signature contains the link www.checkpoint.com, not formatted as a hyperlink.


 Click-Time Protection Workflow

1. If you select the workflow Prevent access to the malicious URL. User cannot proceed: If a user clicks on a rewritten URL that was found malicious, they will be redirected to the following page:



2. As an admin, if you select the workflow Prevent access to the malicious URL. User has option to proceed: If a user clicks on a rewritten URL that was found malicious, they will be redirected to the following page:


Events


Two types of events can be generated by CTUP:

1. Malicious URL: for each rewritten URL user clicked and was found malicious before allowed to proceed



2. Malicious URL click: each time a user clicks the link Proceed anyway for a malicious URL. (This link is available on the landing page if your selected CTUP workflow is Prevent access to the malicious URL. User has option to proceed). Both  types of events be created in this case.



Exceptions


You can create exceptions of 3 types for the Click-Time URL Protection feature:
  • Block List: URLs that are part of the Block List are handled as if found to be malicious by CTUP. The CTUP workflow applies as defined.
  • Allow List: URLs that are part of the Allow List are handled as if found to be benign by CTUP.
  • Ignore List: URLs that are part of the Ignore List will not be rewritten by CTUP.

To configure exceptions:

1. Log into the CloudGuard SaaS portal.

2. If your portal has 2 main tabs called Threat Protection and Identity Protection, navigate to Threat Protection\Config. Otherwise, navigate to Email & Storage\Config.

3. Under Config, select the menu Click Time Protection Exceptions



4. Click New to create a new exception. 



Limitations

  1. The user shown in a CTUP event (both event types) is always the initial recipient of the email containing the rewritten URL. This user is not necessarily the user who clicked the link.
  2. For one same URL, up to 100 events may be created.
  3. Events of CTUP are currently shown in the New state instead of remediated.
  4. Email appearance changes when URLs are not originally formatted, and hyperlink are rewritten which may impact user experience. (see User Experience section > Links in emails).
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment