Check Point Email Security | Blog

Security Vendors Do What Their Technology Allows, Not What Customer Really Needs

Written by Jeremy Fuchs | March 23, 2022

At Avanan, we pride ourselves on blocking malicious emails before they reach the inbox. We accomplish this through our patented inline positioning. We are the only API vendor that has such a positioning. All others respond to emails after they hit the inbox.

That inline technology allows us to do a plethora of security-related tasks to keep our customers safer. If you're not inline, you're limited as to what you can do.

One way this manifests itself is through URL rewriting or Click-TIme protection.

By being inline, if the email is malicious, it's blocked, full stop. However, many attack forms use compromised servers that appear benign until after the message has been delivered. 

One example of such an attack is the TattleToken script.

Attackers are using client-side scripts to determine the end user's IP address and altering the URL in order to hide a malicious server from email service providers and security organizations.

This effectively bypasses most post-delivery protections. Instead of putting the malicious URL in the email, hackers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. Queries from the intended victims are directed to the phishing server.

From the point of view of the security firms, the link in the email is just a simple redirect to a web server like Google. When the victim clicks on the same link, they are redirected to the malicious web server.

However, since Avanan rewrites every link with an Avanan URL, these attacks aren't a problem. When someone clicks on a link, Avanan tests the site before redirecting the user.

We can do this due to our inline positioning.

For those who aren't inline, they may claim that they only need to rewrite URLs on malicious emails and not on clean ones. They claim this as a benefit, when in reality it's because their API won't allow them to do it. But that plays right into the hacker's hands. Emails that detonate post-delivery are designed to land in the inbox as clean and are only dangerous after clicking. If you don't re-write every URL, end-users will be affected by this. 

Another benefit of being inline? Preventing inbox incursions. An inbox incursion happens when a malicious email hits the inbox before it's remediated. On average, these take three minutes and three seconds to resolve. Yet the average user clicks on a phishing link in 82 seconds. That math just doesn't add up. 

For the security vendors that are not inline, there is simply a limit to what they can do. Therefore, when they talk about not rewriting all URLs, it's because they can't, not because it's what's best for the customer. 

If something "doesn't have to be done", the question is worth asking: Can you actually do it?