Bsrgvty

In a large organization (e.g., a city staff), relying on human behavior to prevent phishing attacks isn't nearly effective enough. While it would be somewhat inconvenient (security usually is), I'm thinking of an approach whereby the email client would redact all URLs in a message. Not only make the URLs inactive, but eliminating them entirely. For example, something like this:

Click here to see our new report on property taxes:

[URL removed]

If there really is a new report, and if the city staffer really wants to see it, he or she can go to the website and track down the report. If the user goes to the website through a password manager or a bookmark, there's no way the bogus site will be reached instead of the real site. (A phishing attack involving a site that the user is unfamiliar with, and therefore has no login for, wouldn't be a phishing attack.)

While not all phishing attacks involve URLs in emails, my guess is that 99% of them probably do.

I'd appreciate some comments on whether you think this would be effective in reducing phishing attacks. I'm less interested in whether the absence of URLs presents an inconvenience, as I know it does.

(Forcing the email client to operate in text mode only removes the linkage; the URL is still there.)

First of all, it would be a usability nightmare.

Second, it wouldn't even fix the problem it purports to. While it could be effective to phishing mails designed for 'normal' clients, attacks designed to suir such systems would probably be even more effective.

The users of such networks would be used to using all kind of alternative ways to refer to urls. Suppose I wanted to link to this question and ask you to upvote my answer, as you don't allow me to write https://security.stackexchange.com/questions/215871/redacting-urls-as-an-email-phishing-preventative I could say:

• security.stackexchange.com/questions/215871/redacting-urls-as-an-email-phishing-preventative


• https:/ /security.stack exchange.com/questions/215871/redacting-urls-as-an-email-phishing-preventative


• Go to security SE question 215871


• bitly 2ZoZiTS


• Link sent to your personal mail


• Please call to 555-0123 so I can give you the actual url


• Search "Redacting URLs as an email-phishing preventative?" in Google


• See last active question


• hotel tango tango papa sierra colon double slash sierra echo charlie uniform romeo india tango yankee dot sierra tango alpha charlie kilo echo xray charlie hotel alpha november golf echo dot charlie oscar mike slash quebec uniform echo sierra tango india oscar november sierra slash two one five eight seven one slash romeo echo delta alpha charlie tango india november golf dash uniform romeo lima sierra dash alpha sierra dash alpha november dash echo mike alpha india lima dash papa hotel india sierra hotel india november golf dash papa romeo echo victor echo november tango alpha tango india victor echo


• Url sent in an attachment

Note that some malicious mails already use urls in attachments as a way to [attempt to] bypass email filters. You might think "I will just strip urls from attachments, too", but that will cause havoc when the documents your users are redacted get silently corrupted by the email system. The formatting may possibly break everywhere, too. Not to mention that such endeavor might require you to be able to (properly) recognize and edit almost every existing file format.

Additionally, your legal department will probably bar you completely from modifying the invoices (received as email attachments), no matter how innocuous the edit.

Also things like recovery links for forgotten passwords would not work at all for your users, either.

But IMHO the main problem would be that the users would be "trained" to do all kind of weird workarounds, a "hidden url" that made them go through such hoops would not raise any suspicion at all.

(And as noted by Joseph Sible, your antispam filter would not be able to examine the obfuscated urls)

Some examples:

• Make the user to search "StackExchangeBank blocked credit card" on Google. Then make a phishing page for the StackExchangeBank appear top by using uncommon words, or even buying ads.


• If you call me so I give you the url that would be otherwise filtered, I can send you to a phishing page, adding some live social engineering to make you it more credible than just a plain email.


• Send them through a url shortener. The user will have no idea where it is getting sent


• The n-th question on the list would obviously change, so it would not guarantee the user to arrive to the "legitimate" question you asked, instead voting on a different question "impersonating" the one he was expected to reach.

A much saner approach would be that you changed the urls to go through a redirecting service of yours. Some email security filters already do that. This way they can check, when the user clicks the link if it is listed on a blacklist (where it might not have been when the email was received), and thus block the access. You might also have it show a Big Scary Warning that they are Not going to a safe website, the moment they try to reach a not-whitelisted site (only those they have credentials to, supposedly). And still, such approach would be somewhat flawed since the users will actually have credentials to more sites than those whitelisted at the proxy to not show the warning, and legitimate sites often decide to put out content of theirs on a new domain (which wouldn't appear on the whitelist, obviously). If there are too many false positives, users will end up paying little attention to them, as it would be 'normal' to receive them.

This isn't a good idea. First of all, "somewhat inconvenient" is a huge understatement. Also, AviD's rule of usability applies here: instead of URLs that computers understand, you'll have instructions on how to type in a URL, which will foil the ability of email scanners to detect that the URL goes to a phishing site.

In addition to humans being able to describe URLs in English to work around the filter, this would break all sorts of automated e-mail verification, account check, and password reset systems that rely on you being able to receive a URL sent by e-mail in order to verify ownership of the address. Some of these systems provide a code that can be copy-pasted into a form, but many provide only a URL.

Your users under this system would not be able to open new accounts at a variety of web sites, and might be locked out of their existing accounts as soon as the service provider demands e-mail verification for e.g. logging in on a new device.

(Disclaimer: I work on one of the top email security solutions. This post is intended to be vendor-neutral.)

At least the leading two enterprise-grade email security gateways offer the ability to rewrite URLs through an extra layer of security run at the time a user clicks the link. This is a safer approach than completely redacting the link. These solutions incorporate extra security checks as well as reporting for remediation in the event that one of the clicked links ends up being malicious, allowing your infosec team to perform damage control.

You could implement a poor-man's version of this by setting up your own URL Shortening service, rewriting links from suspected phish (or everything, though that may annoy your users) and checking the mapping against URI DNSBLs either during the redirection or else periodically with a cron job.

As Ángel's answer states, rewrites only work for URIs your system can recognize. This will never be comprehensive, but hopefully it's a very close match to what your users' mail clients will render as clickable links.