The Fatal Click? The Benefits of Analyzing Suspicious URLs


Thought Leadership

The Fatal Click? The Benefits of Analyzing Suspicious URLs

Dena Bauckman

Imagine that your efforts to close a cybersecurity loophole only made the problem worse. That’s exactly what happened when users clicked a link claiming to provide information about the Meltdown and Spectre malware strains. The link actually installed the malware automatically on their systems.

A similar narrative comes from the Locky attack. Released for the first time in 2016 but having been reinvigorated in 2017, Locky spread through a seemingly harmless email that contained either a link directing users to a malicious site or an “invoice” attachment that had the malware embedded in it. With over 130 million emails being sent to deliver that malware, including 60 million emails in a single day in September, the cyberattack cost organizations more than $1 billion. Lastly, there was the PayPal payment cancellation campaign — a well-crafted email that borrowed official PayPal images and used malicious and obfuscated/hidden links within a “cancel transaction” request to capture user account credentials and payment information.

Suspicious links are a pervasive threat that nearly everyone is aware of these days. In spite of this, phony URLs remain a common cyberattack tactic simply because they remain so effective. Users have a natural inclination to click on links, and when phishing emails can mimic legitimate senders, even the most diligent users can miss red flags. To stay protected in such a risky cyber environment, then, organizations should bolster their defenses by implementing tools that can help users spot such links.

Closing the Door on Dangerous Links

Ultimately, the end user is an organization’s last line of defense. But because it can still be difficult for users to spot malicious links even with adequate training, flagging dangerous links using a disarm/analysis tool is the stronger strategy.

These tools step in to provide caution otherwise unavailable to users. For instance, time-of-click analysis determines whether a link is safe at the point in time the user clicks it, not just when the email is sent. And if the site becomes infected or a sophisticated attack waits to put out the malware to avoid detection, the user is still protected.

Moreover, smart tools eliminate other, more complex problems. For example, hackers are able to flood inboxes with “cousin domains” — malicious links that appear to be legitimate given their subtle variations, such as substituting a zero for the letter “o” in “” They can also obscure links by using shortening services like Bitly that bypass users’ “hover” technique. But disarm/analysis tools help users spot phony URLs to avoid them with greater confidence. These tools also restore a link to its full-length form so that there is never any confusion about where it leads.

Securing the Inbox Using ZixProtect

While multiple disarm/analysis tools are on the market, ZixProtect has become a leading option by balancing the needs of end users with the needs of security professionals. When both parties are accommodated, email security becomes that much stronger.

For example, our time-of-click analysis tool prioritizes convenience and visibility. While a link is under review in real time, a banner is displayed clearly to the user. This notation prevents the user from accessing the link preemptively while reinforcing the fact that links can often be dangerous. Over time, the tool helps user develop a healthy caution about all URLs — not just the ones that are blatantly suspicious.

ZixProtect also makes it easier to protect an inbox without inhibiting productivity through a link scoring and restoration tool. If a URL doesn’t raise red flags, then the user is automatically connected to his destination. If issues exist, however, then these issues are outlined in a color-coded report with simple descriptions and easy-to-follow guidance. By taking this more nuanced and explicit approach, users don’t miss important links even if they are flagged as suspicious.

Hackers and their tricks are becoming more sophisticated every day. It’s not enough anymore to believe that a URL doesn’t look suspicious, and users can only do (and should only be expected to do) so much on their own in the way of defense. With the comprehensive protection that disarm/analysis tools like ZixProtect provide, you and your users can rest assured that today’s malicious links won’t become tomorrow’s cybersecurity breach.