Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: Sophos Time-Of-Click, Microsoft Safelinks, and similar URL re-writing technologies can cause error

Hi Everyone!

Do you ever get these errors when clicking on a URL link within an email thread? 

OR

If so, then this is because there are similar technologies being applied on top of the other that are meant to protect users from accessing high risk (malicious) websites.

Basically what they do is that any inbound emails are scanned for URL addresses. Any address that is found will be re-written so that they will point to each respective security company's web server instead of the original site. What happens then is if the recipient user clicks on the URL link within the email, the request will be redirected to the security company first so that the site will be checked for its current reputation (and perhaps other scans). Access to the site will be allowed or blocked depending on the result thereby protecting the user from malicious URLs.

The problem arises though in a scenario where the rewritten URL from one of these technologies is rewritten further by another, thereby increasing the number of characters within the links.

Normally a simple email transaction should not increase the number of characters too much. However, in a busy email thread where there is a lot of reply emails going back and forth from sender to recipient and back, this will increase the number characters within the link considerably which will result to the security company's web server unable to process the request anymore.

The solution is to is to add the affected re-writing URL into the Central Email's URL allow list (Configure > Settings > Email Security > URL allow list). This will make Central Email Time-Of-Click omit URLs that have this address from being re-written.

Below are examples of what can be entered:

For Microsoft Safelinks: 

*.safelinks.protection.outlook.com

For Trustwave Blended Threat Link:

scanmail.trustwave.com

For Trendmicro TMEMS:

*.trendmicro.com

Note that there are other companies out there that have the same/similar services and so the same procedure should still be done. You just need to know the address of their re-writing server.

Thanks!



Edited tags
[edited by: Raphael Alganes at 5:56 AM (GMT -7) on 7 Jun 2023]