URL Sandboxing Release Note – TRITON AP-EMAIL with Email Cloud Module

TRITON AP-EMAIL with Email Cloud Module | 10-December-2015

URL sandboxing helps to close a dangerous and common security risk posed to end-users and the enterprise in email.

When enabled, URL sandboxing supports real-time analysis of suspicious URLs, including uncategorized URLs, embedded in email that has been processed and delivered by TRITON AP-EMAIL with Email Cloud Module. In this configuration, when a user clicks on a link within an email, and that link or elements associated with that link are suspicious, the user receives a warning that "The link may not be safe." The notification includes:

The domain they are trying to access.

The reasons the link is considered suspicious: for example, the sender email address may be unknown to our service or the sending mail server may have a suspicious reputation.

The option to analyze the page further.

If the user selects No to Analyze the page?, the suspicious link is not analyzed. However, the user can only close the notification window; the user is not allowed to access the page.

If the user answers Yes, the page is analyzed using TRITON AP-EMAIL real-time advanced security analysis. One of the following messages is returned.


Notification	Description
The link appears to be safe	No malicious threats found. The notification lists the URL and category or categories of the page. Users can proceed to view the page if they choose to do so.
Access denied	Malicious threats detected in the page. The notification lists any matched categories along with the sites suspected of being infected with a malicious link. Users cannot access the page.
Access denied	Users may also receive an Access denied notification if their organization does not permit them to browse uncategorized web pages.
Unable to access page	The web server may be down or the link may be incorrect. The user may want to try again later, or contact their administrator for more information.
Unable to analyze URL	The page could not be analyzed because its protocol is not supported. Supported protocols are HTTP and FTP. If you have selected the Allow the recipient to follow links with an unsupported protocol option, the user can proceed to view the page if they wish; otherwise, the user cannot access the page.

Configuring URL sandboxing

To modify rules for URL sandboxing:

In the Cloud TRITON Manager portal, select a policy, select the URL Sandboxing tab, and click Edit.

Under Default settings, select Analyze suspicious URLs.

To allow the user to click through to the site after looking at the category of the URL, select Allow the recipient to follow links to unclassified URLs.

Links cannot be analyzed if TRITON AP-EMAIL does not recognize the network protocol used. Supported protocols are HTTP and FTP. To allow the user to click through to the site if it cannot be analyzed, select Allow the recipient to follow links with an unsupported protocol.

If required, enter customized text to display in email messages instead of suspicious URLs, such as "Danger, do not click!"

Under Policy-wide settings, enter any trusted domains that you do not want to be inspected in email messages. Use this list with caution: if a site on the list is compromised, TRITON AP-EMAIL does not analyze the site and cannot detect the security problem.

Define whether to analyze suspicious URLs contained in signed messages.

NOTE: The options to whitelist domains and analyze suspicious URLs in signed messages apply to all users and groups in a policy, and cannot be over-ridden by exceptions.

Click Submit.

Using the URL Sandboxing Utility

Administrators can view details of a URL that has had the URL sandboxing feature applied to it.

In the Cloud TRITON Manager portal, go to Email > Messages > Toolbox and select the URL Sandboxing Utility tab.

Enter a sandboxed URL, and then click Submit to show the original URL and its recipient, security, and policy settings. The following is displayed.


Field	Description
Sandboxed URL	Shows the sandboxed URL entered.
Original URL	Shows the original URL before sandboxing.
Block Policy Flags	Shows if the recipient is allowed to see unclassified URLs. Also shows if suspicious URLs are masked for the recipient.
Policy Name	Shows the name of the policy that owns the recipient domain.
Recipient	Shows the email address of the recipient of the message containing this URL.