ITS

Information Technology Services
Information Technology Services

ATP Link Scanning

UPDATE -  May 2018: Link Scanning will be available for both internal and external emails. (previously only for mail received from external sources)

What is Link Scanning?  

Link Scanning is part of Microsoft Advanced Threat Protection (ATP). This feature rewrites every URL found in an incoming email in order to redirect users through a Microsoft proxy server which checks at the time of click if the URL is safe to view.

When a URL in an email or Microsoft Office Online document is clicked, Link Scanning performs a scan to determine if the hyperlink is malicious. Link Scanning also scans any documents available on that link at the time of click to prevent malicious file downloads to your system.  

If the link is determined to be safe to view, you will proceed as expected; if the link is determined to contain malicious content, your are redirected to a warning page instead. 

Only incoming links are rewritten. When a user writes an email to an external party, the URLs in that message are not rewritten.

What are the benefits of Link Scanning?

  • Because students, faculty, and staff at Queen's share many links while working on projects, Link Scanning helps to prevent inadvertent access to malware through links and attachments. The solution is seamless from a user experience perspective, and the product is unobtrusive, working efficiently in the background.
  • While the content is being scanned, the URLs are rewritten to go through Office 365. The URLs are examined in real time, at the time a user clicks them. If a link is unsafe, the user is warned not to visit the site.
  • ATP provides the ability to manually block URLs. Phishing URLs in email messages do not normally contain malicious content, but have a malicious intent. This feature allows ITS to manually block unwanted URLs to further protect the Queen's community from phishing emails.
  • ITS removes mass phishing messages from Queen's mailboxes - however this procedure does not protect users that forward their email outside of Office 365. ATP Link Scanning continues to protect mail that is forwarded. When a link is blocked, it continues to be blocked even after being forwarded outside of Queen's mailboxes - providing better protection.
  • Reporting is available, so administrators can track which users clicked a phishing link and can warn them to change their password to prevent compromising their accounts.

What does Link Scanning look like? 

The hyperlink in every email that you receive will be rewritten and appear differently than they are currently displayed. Here is an example of a URL rewritten with ATP Link Scanning: 

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fci.office.net%2Fapi%2Femailcount%3Flid%3D1a44b413-1866-4cda-9a96-2bf58474a914%26tid%3D51d75f6a-dc1b-4263-9b42-62614f399eb8&data=02%7C01%7CNETID%40queensu.ca%7C3a749337155a4e4f0df108d4a139fcd7%7Cd61ecb3b38b142d582c4efb2838b925c%7C1%7C0%7C636310717800979766&sdata=0Od9u%2FR3RMtozlIWDcX8WCDVJHg1B7CW0Y7B1niBbok%3D&reserved=0 

The highlighted sections include: 

  1. na01.safelinks.protection.outlook.com/  - the Microsoft ATP proxy server 
  2. ?url=http%3A%2F%2Fci.office.net%2Fapi%2Femailcount – the destination web address, address ends just before &data= 
  3. NETID%40queensu.ca – the email address of the recipient (your email address will only appear in emails within your own inbox)

When you click on one of these links and the webpage is deemed malicious, you will see a warning message that prompts you to navigate away from the site.

What do I do if I see a phishing email in my inbox?

When you see a suspicious email you should forward the message to abuse@queensu.ca this is a monitored email address. When ITS identifies a URL that is malicious, they can put the URL in a block list.

 

What do I do if I am blocked from accessing a legitimate website?

Contact the IT Support Centre to report any false positives, a white list is available to help manage URLs that should not be scanned.

 

Last Updated: April 16, 2018

Tags: