URL Sandboxing tab

Use the URL Sandboxing tab in a policy to inspect uncategorized URLs in email by tagging them for additional real-time advanced security analysis. Doing so helps protect end users from accessing malicious websites.


	Note If a website is uncategorized, URL sandboxing changes ("wraps") the URL in the email delivered to users. To add an exception for specific URLs to prevent them from being sandboxed, add a sandboxing exception. See URL sandboxing exceptions.

With URL sandboxing, if users click on a link within an email and that link or elements associated with that link are suspicious, they receive a warning that "The link may not be safe." The notification includes:

The domain they are trying to access.

The reasons the link is considered suspicious: for example, the sender email address may be unknown to our service or the sending mail server may have a suspicious reputation.

The option to analyze the page further.

If they answer No to Analyze the page?, the suspicious link is not analyzed. They can then close the notification window. For their protection, they cannot access the page.

If they answer Yes, the page is analyzed using Forcepoint Email Security Cloud real-time advanced security analysis. They then receive one of the following messages. The notification messages can be customized. See Configure block and notification pages.


Notification	Description
The link appears to be safe	No malicious threats found. The notification lists the URL and category or categories of the page. Users can proceed to view the page if they choose to do so.
Access denied	Malicious threats detected in the page. The notification lists any matched categories along with the sites suspected of being infected with a malicious link. Users cannot access the page.
Access denied	Users may also receive an Access denied notification if their organization does not permit them to browse uncategorized web pages.
Unable to access page	The web server may be down or the link may be incorrect. They may want to try again later, or contact their administrator for more information.
Unable to analyze URL	The page could not be analyzed because its protocol is not supported. Supported protocols are HTTP, HTTPS and FTP. If you have selected the Allow the recipient to follow links with an unsupported protocol option, the user can proceed to view the page if they wish; otherwise, the user cannot access the page.


	Important Websites that rely on cookies are not supported. When analyzed, URLs that resolve to sites that rely on cookies may return an error or an incorrectly rendered page. See the article Embedded URL sent for analysis fails with an error or incorrectly rendered page in the Knowledge Base. Administrators can retrieve the original URL in the cloud portal using the URL Sandboxing Utility located in Email > Toolbox. Any administrator or end user can check any URL for malicious content by going to the online Advanced Classification Engine (ACE) CSI Insight page (https://csi.forcepoint.com) and entering the URL. If a user must access a link that gets an error (or is otherwise blocked by the URL sandbox), the user should work with Technical Support to resolve the issue. Forcepoint Email Security on-premises administrators need to contact Technical Support with the sandboxed URL and request the original URL.

To modify rules for URL sandboxing:

Click Edit.

Under Default settings, select Analyze suspicious URLs.

To allow the user to click through to the site after looking at the category of the Web page, select Allow the recipient to follow links to unclassified URLs.

Links cannot be analyzed if Forcepoint Email Security Cloud does not recognize the network protocol used. Supported protocols are HTTP, HTTPS and FTP. To allow the user to click through to the site if it cannot be analyzed, select Allow the recipient to follow links with an unsupported protocol.

If required, enter customized text to display in email messages instead of suspicious URLs, such as "Danger, do not click!".

Under Policy-wide settings, enter any trusted domains that you do not want to be inspected in email messages. Use this list with caution: if a site on the list is compromised, Forcepoint Email Security Cloud does not analyze the site and cannot detect the security problem.

Define whether to analyze suspicious URLs contained in signed messages.


	Note The options to allowlist domains and analyze suspicious URLs in signed messages apply to all users and groups in a policy, and cannot be over-ridden by exceptions.

Click Submit.