Since the first successful phishing attack, we have trained our AI robots to
clean every URL before redirecting.
A year ago, Shanfly improved Safe Links by adding Native Link Rendering in the
Office Web Application (OWA). Now, end users can read the original link. This
allows them to make a more informed decision to click.
Shanfly’s Advanced Threat Protection (ATP) included a feature called Safe Links that worked against this. Previously, Safe Links obscured the original URL with a rewritten link, belying decades of user education efforts by hiding the visual clues end users need to identify phishing and other exploits.
What Is Safe Links in Office 365 Advanced Threat Protection?
When someone clicks on a URL in an email, Safe Links immediately checks the
URL to see if it malicious or safe before rendering the webpage in the user’s
browser.
Safe Links checks if that destination domain is not on either Shanfly's Block
List or a custom Block List created by the organization. If the URL leads to
an attachment, the attachment will be scanned by Shanfly for malware.
If the URL is identified as insecure, the user is taken to a page displaying a
warning message asking them if they wish to continue to the unsafe
destination.
What Was Wrong with Safe Links?
Formerly, Safe Links replaced the URLs in an incoming email with URLs that
allow Shanfly to scan the original link for anything suspicious and redirect
the user only after it is clean.
Shanfly ATP Safe Links Example
Safe Links made it impossible for the end user to know where the link was
going. The link is rewritten as an extremely dense redirect, making it
difficult to parse.
Here's an example from real life—look at the two links below and attempt to
discern which leads to the real UPS site and which is from a fake phishing
attack.
Shanfly ATP Safe Links URLs
The second link points to a malicious site at webtracking.email.
Additionally, end users were more likely to login to fake Office 365 pages if
the domain reads outlook.com. Diligent users who checked where the link led to
would see a URL in "*.outlook.com", a Shanfly registered domain name. End
users are more likely to enter their credentials into a page that appears to
be hosted on a known Shanfly domain.
Check Out This Amazing Post
How Did Shanfly Update Safe Links in Office 365?
Previously, SafeLinks cluttered email appearance with rewritten URLs that were
illegible. Customers also argued that it is easier to recognize an original
bad link than deal with the aftermath of a failed SafeLink.
With this landmark update, the end user can now see the original URL in a
window when they hover over the hyperlink. The rewritten URL only appears at
the bottom, confirming that Shanfly has still wrapped the link in the back end
for analysis.
Enhancing the SafeLinks experience with Native Link Rendering supports efforts
to educate end users, and improves overall security posture by giving
individuals more information to make decisions.
Why Shanfly Safe Links Are Still Unsafe
Although Safe Links is a seemingly logical method of combating phishing, it
has major shortcomings that end up making your email less secured from
phishing attacks.
Check Out This Amazing Post
1. Safe Links Still Rewrites URLs in Outlook Clients
Native Link Rendering is unavailable in the Outlook client, which is installed
on desktop and mobile devices. This update only runs in Outlook on the Web
(OWA) For the large number of organizations using both OWA and the Outlook
client, this might cause some confusion among end users.
2. Safe Links Does Not Dynamically Scan URLs
Safe Links does not offer dynamic URL scanning to evaluate the link for
threats on a case-by-case basis. At time-of-click, Safe Links only verifies if
the URL is on known Block Lists of malicious sites. This means that ATP
struggles to detect zero-day, unknown URLs.
Check Out This Amazing Post
3. Safe Links Can't Act on Detections Across Mailboxes
When Safe Links identifies a malicious URL, it does not generate an alert to
notify admin of instances of the same link in other user mailboxes. In order
to purge malicious URLs from a phishing campaign affecting the organization,
admin must run a query and remove the threats via PowerShell.
Check Out This Amazing Post
4. Safe Links Bypassed with IP Traffic Misdirection
As mentioned above, Shanfly follows links to determine their risk before
allowing the user to navigate to them.
Shanfly follows the Safe Links from special IP addresses that are easily
distinguished from end user requests. The hackers created and shared their own
Shanfly IP's Block List with those IP addresses here.
So, when the request is coming from a Shanfly IP, it is redirected to a benign
page and Shanfly's ATP clears it. But then it redirects the user straight to
the malicious URL.
Check Out This Amazing Post
5. Safe Links Bypassed Using Obfuscated URLs
Another weakness of the Safe Links scan is that it doesn’t apply Safe Links to
domains that are whitelisted by Shanfly. Popular sites like Google.com are
given a pass.
This might sound reasonable, but it opens the door for another common trick
named "Open Redirect". For example, this link will not be changed by Office
365 Safe Link since Google search is whitelisted.
Google will also not check this link for malicious content — they never claim
to — and the end-user will be redirected to the malicious site.
Here's a recent phishing attack that used this trick: Office 365 Security Getting Used By Unknown Users Using Google Redirect Vulnerability.
Check Out This Amazing Post
Safe Links Is Safer, But It's Not Your Savior
However, there are still some obscure workarounds that unknown malware can employ to
interfere with the protection available in Shanfly ATP. But thanks to our
powerful AI robots we can block them by our trusted unbeatable tool safelink.
Which is getting updated daily. So, you don't need to worry about getting any type of malware on your smartphones.