How to Set Up URL Defense in Proofpoint

URL Defense is Proofpoint's click-time protection feature that rewrites URLs in emails and analyzes link destinations in real-time when users click them. This protects against malicious links that may have been safe when delivered but became dangerous later.

Prerequisites

Before configuring URL Defense, ensure you have:

• Administrator access to the Proofpoint Essentials console
• URL Defense feature included in your Proofpoint subscription
• Understanding of trusted domains that may need exclusions
• Communication plan to inform users about rewritten links

How URL Defense Works

When URL Defense is enabled:

1. Email Arrival: Proofpoint scans incoming emails for URLs
2. URL Rewriting: All URLs are rewritten to Proofpoint's format
3. User Click: When a user clicks a link, the request goes to Proofpoint
4. Real-Time Analysis: Proofpoint analyzes the destination for threats
5. Access Decision: Safe links proceed; malicious links are blocked

Rewritten URL Format:

Original: https://example.com/page
Rewritten: https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_page&d=...

Step 1: Enable URL Defense

Check Feature Availability

1. Log in to the Proofpoint Essentials Admin Console
2. Navigate to Administration > Account Management
3. Click Features
4. Look for URL Defense in the feature list
5. If not visible, contact your Proofpoint account manager

Enable the Feature

1. In Account Management > Features
2. Locate the Enable URL Defense checkbox
3. Check the box to enable the feature
4. Click Save to apply changes

Note: Changes may take up to 15-30 minutes to propagate across all Proofpoint servers.

Step 2: Access URL Defense Settings

Once enabled, configure URL Defense settings:

1. Navigate to Security Settings in the left sidebar
2. Expand Malicious Content (or Targeted Attack Protection)
3. Click URL Defense

You'll see the following configuration options:

Step 3: Configure URL Rewriting Options

Standard URL Rewriting

The default configuration rewrites all URLs in inbound emails:

1. Ensure Enable URL Rewriting is checked
2. Select Rewrite all URLs for maximum protection
3. Click Save

Selective Rewriting (Advanced)

For organizations needing granular control:

1. Choose Rewrite URLs selectively
2. Configure which URLs to rewrite based on:
   • URL risk score
   • Email spam score
   • Sender reputation

Step 4: Configure Domain Exclusions

Some URLs shouldn't be rewritten. Add exclusions for:

• Internal application links
• Trusted business partner domains
• SSO or authentication portals
• Known SaaS applications that break with rewritten URLs

Add Domain Exclusions

1. In URL Defense settings, find Exclude URLs that contain specified domains/IP addresses
2. Click Add or enter domains in the text area
3. Enter domains one per line:

internal.yourcompany.com
trustedpartner.com
saas-app.com

4. Click Save

Warning: Be cautious when excluding domains. Excluded URLs bypass click-time protection entirely.

Step 5: Configure Sender Exclusions

Exclude specific senders from URL rewriting:

1. Find Exclude rewriting emails sent by specified senders
2. Enter sender email addresses or domains:

[email protected]
*@internal-alerts.yourcompany.com

3. Click Save

When to Use Sender Exclusions

Step 6: Customize the Block Page

When Proofpoint blocks a malicious URL, users see a warning page. Customize it to match your organization:

1. Navigate to Block Page Settings (if available)
2. Configure:
   • Organization logo
   • Custom warning message
   • Contact information for IT support
3. Click Save

Sample Block Page Message

The link you clicked has been identified as potentially malicious.

This page may attempt to steal your credentials or install malware.

If you believe this is an error, please contact the IT Help Desk:
[email protected] | Ext. 4357

Step 7: Test URL Defense

Verify URL Defense is working correctly:

Test URL Rewriting

1. Send a test email containing a URL to a protected user
2. Open the email and inspect the link
3. Verify the URL has been rewritten to urldefense.proofpoint.com
4. Click the link and confirm it resolves correctly

Test Malicious URL Blocking

Proofpoint provides safe test URLs:

1. Send an email containing Proofpoint's test URL (contact support for current test URLs)
2. Click the link in the delivered email
3. Verify the block page appears
4. Confirm the warning message displays correctly

Step 8: Monitor URL Defense Activity

View URL Click Reports

1. Navigate to Reports in the admin console
2. Select URL Defense or Targeted Attack Protection
3. Review metrics:
   • Total URLs analyzed
   • URLs blocked
   • Most clicked URLs
   • Top targeted users

Investigate Blocked URLs

1. Go to Logs > Log Search
2. Filter for URL Defense events
3. Review blocked URL details:
   • Original URL
   • Reason for blocking
   • User who clicked
   • Timestamp

Troubleshooting URL Defense Issues

Links Not Being Rewritten

Symptoms: URLs appear in original format, not Proofpoint format.

Solutions:

1. Verify URL Defense is enabled in Features
2. Check if the sender is on an exclusion list
3. Check if the domain is excluded
4. Wait 30 minutes for settings to propagate
5. Contact Proofpoint support if issues persist

Legitimate Sites Being Blocked

Symptoms: Safe websites trigger the Proofpoint block page.

Solutions:

1. Note the exact URL being blocked
2. Check the block reason in the URL Defense log
3. Submit the URL to Proofpoint for review
4. Temporarily add to exclusion list if urgent
5. Follow up to ensure false positive is resolved

Broken Links After Rewriting

Symptoms: URLs don't work after being rewritten by Proofpoint.

Solutions:

1. Identify the problematic domain
2. Check if URL encoding is causing issues
3. Add the domain to exclusions if necessary
4. Report to Proofpoint for investigation

Users Complaining About Slow Links

Symptoms: Users report delays when clicking links.

Solutions:

1. This is normal (1-3 second analysis time)
2. Educate users about the security benefit
3. Check Proofpoint service status for outages
4. Review network connectivity to Proofpoint servers

Best Practices for URL Defense

1. Start with full protection - Enable for all URLs, then add exclusions as needed
2. Minimize exclusions - Each exclusion creates a potential security gap
3. Document exclusions - Keep a record of why each exclusion was added
4. Review exclusions quarterly - Remove exclusions that are no longer needed
5. Train users - Explain why links look different and what block pages mean
6. Monitor reports - Review URL Defense reports weekly for threats

Understanding URL Defense Reports

Communicating URL Defense to Users

Send a notification to users explaining the feature:

Subject: Important Update to Email Link Protection

We've enabled enhanced link protection for all incoming emails. You'll notice that links in emails now show a different format (urldefense.proofpoint.com). This is normal and provides additional security by checking links when you click them.

What to expect:

• Links in emails will look different
• There may be a brief delay when clicking links
• Dangerous links will show a warning page

If you encounter issues with specific links, please contact IT support.

Next Steps

After configuring URL Defense:

1. Configure email filtering - Set up filter policies
2. Manage sender lists - Configure safe senders and block lists
3. Configure DLP - Prevent data loss

Additional Resources

• Proofpoint URL Defense FAQ
• Troubleshooting URL Defense
• Proofpoint Essentials URL Defense Datasheet

Need help implementing Proofpoint URL Defense? Inventive HQ provides expert email security configuration and user training. Contact us for a free security assessment.