Overview

URL rewriting provides an additional layer of protection against potentially malicious links in email that has already been delivered to your mailbox. This service scans email for content that contains links and rewrites them with special URLs. The rewritten URLs allow the email protection service to check the original URL for malicious content before allowing the recipient to visit the website. They can also be used to block access to malicious links and alert the Information Security team if a malicious link has been clicked. Then the Information Security team can follow up with the person who clicked the malicious link to ensure that their user credentials and devices are not compromised.

What are the benefits of rewriting URLs?

Although the University's email protection system blocks the majority of malicious emails, sometimes links to phishing and malware still get past the system. URL rewriting provides an additional layer of protection against potentially malicious links in an email that has already been delivered to your mailbox. Rewritten URLs can also be used to block access to malicious links and alert the Information Security team if a malicious link has been clicked. Then the Information Security team can follow up with the user who clicked the malicious link to ensure that their user credentials and devices are not compromised. Then the Information Security team can follow up with the person who clicked the malicious link to ensure that their user credentials and devices are not compromised.

How do rewritten URLs look?

Rewritten URLs begin with https://urldefense.com. For example, if you were to receive an email sent from someone outside of the University that included a link to the EDUCAUSE About web page, you would notice the following:

• Display URL (what you will see in the email): www.educause.edu/about
• Embedded URL (what you will see if you hover your mouse over the link in the email): https://urldefense.com/v3/__http://www.educause.edu/about__[...]
• The original URL is visible within the double underscores.
  

What happens when I click on a rewritten URL?

After clicking on the link, you are redirected to the Proofpoint URL Defense service where the URL and website are analyzed.

• If the URL is considered unsafe: you will be shown a page informing them that the content is malicious and has been blocked.
• If the URL is considered safe: you will be redirected to the website.

Do the rewritten links appear when I forward an email?

Yes, when you forward a message to a recipient that does not have URL rewriting enabled in their email, they still will see the rewritten URLs. The recipient will be able to open the links.

Why aren't URLs in messages sent from UChicago email accounts to other UChicago email accounts being rewritten? Wouldn't that help with phish and spam spreading from compromised accounts?

Email sent directly from one UChicago Microsoft 365 user to another does not go through the campus email protection system, and thus they do not go through the URL rewriting process. Typically when a phishing message comes in from outside campus, someone clicks on the link and then is sent to other users of Microsoft 365. By protecting against phishing links coming from outside, compromised accounts spreading malicious email internally is much less likely.

Can I opt out of URL rewriting?

There is currently no opt-out process in place if your department is using URL rewriting. To make this request, contact IT Services to discuss possible options. These will be evaluated on a case-by-case basis.

Can certain domains be excluded from URL rewriting?

Domains for which the University handles email, such as uchicago.edu, are automatically exempted from rewriting. If URL rewriting is interfering with your ability to access legitimate links, IT Services for an investigation of exclusion from URL rewriting.

I'm concerned about my privacy. What are you tracking when I click on my emails?

URL rewriting tracks "clicks on links" and generates alerts only when a malicious link is clicked. Your overall click history is not available to the University's Information Security team and cannot be accessed.