BNL Home

Proofpoint URL Defense

URL Defense adds an additional layer of filtering to email messages originating outside the Lab’s network to help protect our users. When someone clicks a link in one of these emails, instead of going directly to the linked website, the web browser will first be directed to Proofpoint’s servers to be evaluated against their reputation database.

  • If Proofpoint deems the link to be malicious, then users will see a “this is blocked” message on the web page.

  • If Proofpoint deems the link to be benign, then the web browser will proceed to the destination page. In fact, if the link is benign, the momentary stop at the Proofpoint web page may be so quick most users might not notice.

One result of this redirection mechanism is that the links in your emails will look very different if you “hover” over them to check the destination. Instead of seeing the destination link address, users will instead see a link to, followed by an encoded version of the real destination. Here’s an example:

Link as it would appear in an email from outside the Lab’s network:

Link as it would appear if you hover over it:;!!P4SdNyxKAPE!SeXkINun RiEaUE9_uiTYo1zdbvNcmZgmi3nAq0Q3z4RyPHuXVyJCsVP4rFT8pfc$

 When clicking on the re-written URL: and Proofpoint URLs are excluded from this.

Note that the link destination has changed to, but the original destination site ( still appears among the long string of characters. We are conscious of the fact that re-writing links in this manner makes it more difficult for users to verify them. Despite this drawback, we believe this is still a net gain for Lab security.

Cyber Security is never a one-size-fits-all endeavor, and we know that exceptions may be necessary for some users. If you encounter situations where URL Defense breaks functionality, we can work with you to exempt certain trusted web domains (whereby the links pointing to those domains are not re-written), or we can exempt a recipient altogether, choosing not to re-write any links sent in emails to that address.

If you encounter issues with URL Defense, please contact the Cyber Security group at or Ext. 8484. And as always, comments and questions are welcome


Q: Will URLs in a message sent from a email address to email be rewritten?

A: No, only external inbound emails are subject to URL Defense.

Q: Will this mean emails that contain a URL will no longer be able to remain plain text?

A: Plain text messages will remain in plain text, however the URL will be changed to the long Proofpoint link. Anybody using a text-based mail reader can continue to do so. Just be aware the URLs may be less "readable."

Q: How long will Proofpoint be able to decode links?

A: Proofpoint has been around since 2002 and currently claims over half of Fortune 100 companies as customers. If the lab were to switch vendors URLs would still be decoded. If Proofpoint went out of business we would be able to manually decode these links to extract the original URL.

Q: Does this mean I can trust every link?

A: We ask that users remain vigilant, and continue to evaluate re-written links. Though obfuscated, the links will still reveal the destination site that you are being redirected to. For example, the original link:;!!P4SdNyxK.....

Q: Content on a once clean site can change, are links reevaluated?

A:  ProofPoint will continue to re-evaluate links, even weeks after you've received your e-mail.  Should an e-mail be judged to be malicious after the fact, you will receive an automated notification from us, something that looks like this.

Q: URL Defense is breaking functionality in one of my applications, how do we fix it?

A: Please forward a copy of the message as an attachment to and state what is breaking. We have options to whitelist on individual use-cases. Please contact us to discuss the best path forward.

Learn about the latest threats