URL rewriting is a security technique that intercepts and modifies URLs within emails, redirecting links through security infrastructure for analysis and threat assessment before allowing users to access them. The technology replaces original URLs in email messages with modified versions that route through an organization's security platform, enabling real-time threat assessment and blocking of malicious content at click-time rather than only at delivery time.
How URL Rewriting Works
When an email passes through a security platform with URL rewriting enabled, the system scans the message and replaces each hyperlink with a new URL that routes through the security infrastructure. When a user clicks the rewritten link, the security platform intercepts the request, performs real-time analysis of the destination, and either allows the connection or blocks access if the destination is determined to be malicious.
This approach provides protection against threats that change after email delivery—URLs that point to legitimate content at delivery time but are later modified to serve malicious payloads can be blocked at click-time when the rewritten link is evaluated against the current state of the destination.
Benefits of URL Rewriting
Post-Delivery Protection: URL rewriting protects against threats that evolve after initial email delivery, including time-of-click attacks where content changes to become malicious after passing initial security scans.
Centralized Visibility: All link clicks generate logs in the security platform, providing security teams with visibility into user click behavior and potential phishing interactions.
Real-Time Blocking: Security platforms can update threat intelligence in real time, blocking newly identified malicious domains even for emails already delivered to user inboxes.
Limitations and Exploitation Risks
Sophisticated threat actors exploit URL rewriting systems by compromising legitimate email accounts and leveraging the organization's own security infrastructure to legitimize malicious links. Since the security platform rewrites and validates links from trusted senders, attackers who control trusted accounts can use this mechanism to make their malicious links appear pre-approved. This exploitation technique represents a significant challenge for organizations relying heavily on URL rewriting as a primary defense.