Link Protection
All features of MailGuard Link Protection: URL analysis, QR code detection, click-time recheck, defanging, and tracking detection.
Link Protection
Link Protection is one of the most powerful modules in MailGuard. It analyzes all URLs in an email — including those in QR codes — and can defang, rewrite, or block them in real time.
Core Features
URL Analysis
Every link is checked in real time:
- Redirect Following: URLs are resolved to their final destination. Configurable with a maximum hop count (default: 5).
- Domain Reputation: The target domain is checked against reputation databases.
- URL Shortener Detection: Shortened URLs (bit.ly, t.co, etc.) are flagged as potential obfuscation.
- IP Host Detection: Links pointing to direct IP addresses (instead of domains) are flagged.
- Display-Target Mismatch: Detects when the displayed link text contains a different URL than the actual link target (e.g., text shows
paypal.com, link goes toevil-site.com).
Login Page Detection
MailGuard detects credential harvesting pages — fake login forms designed to steal credentials. These are automatically classified as suspicious.
Actions for Suspicious Links
| Action | Description |
|---|---|
| Increase Score | Spam score is increased by the configured delta value |
| Defanging | Links are defanged (various modes available) |
| Quarantine | Email is moved to quarantine |
| Block | Email is blocked |
Defanging Modes
When defanging is selected as the action, three main modes are available:
| Mode | Description | Example |
|---|---|---|
| Rewrite | Links are rewritten through a Conbool proxy (for click-time recheck) | https://proxy.conbool.com/?url=... |
| Redact | URL is replaced with custom text | [Link removed - suspicious] |
| Style | Links are defanged with configurable styles (see below) | Combination of methods |
Defanging Styles (Style Mode)
| Style | Description | Example |
|---|---|---|
| hxxp Replacement | http:// is replaced with hxxp:// | hxxp://example.com/link |
| Bracket Enclosure | URL is enclosed in square brackets | [http://example.com/link] |
| href Removal | The clickable link is removed; the URL remains as text | URL is no longer clickable |
These styles can be combined. You can also configure different modes for suspicious and non-suspicious links.
Advanced Features
Click-Time Recheck
When enabled, links are not only checked upon receipt but also when clicked by the recipient. To do this, the URL is rewritten through a Conbool proxy:
- Email arrives → Link is checked and classified as safe.
- Link is rewritten with a Conbool proxy URL.
- Recipient clicks the link → Conbool re-checks the URL in real time.
- If the URL has become malicious between receipt and click, access is blocked.
This is particularly important because attackers often activate links only hours after sending a phishing campaign (known as "delayed phishing").
QR Code Detection
MailGuard extracts URLs from QR codes in email attachments and images:
| Setting | Description |
|---|---|
| QR URL Extraction | URLs from QR codes are extracted and checked like regular links |
| QR Defanging | QR codes with suspicious URLs are defanged (rendered unreadable) |
QR code-based phishing ("quishing") is a growing threat, as QR codes are not detected by many traditional spam filters.
Tracking Parameters
MailGuard can detect and optionally remove tracking parameters in URLs:
| Setting | Description |
|---|---|
| Tracking Detection | Detects known tracking parameters (utm_source, fbclid, etc.) |
| Tracking Removal | Removes detected tracking parameters from URLs |
| Custom Patterns | Custom regex patterns for tracking parameters |
Unsubscribe Links
MailGuard respects unsubscribe links (List-Unsubscribe header) by default. These are not defanged or blocked in order to ensure email compliance.
Domain Rules
You can configure domain-based exceptions:
| Rule Type | Description |
|---|---|
| Allowed Domains | Links to these domains are never defanged |
| Blocked Domains | Links to these domains are always blocked |
Each rule has a position for prioritization.
Configuration Example
A typical Link Protection configuration for a company:
- Link Protection: Enabled
- Action for suspicious links: Score +10
- Redirect Following: Enabled, max. 5 hops
- Domain Reputation: Enabled
- Login Page Detection: Enabled
- Click-Time Recheck: Enabled
- QR Code Extraction: Enabled
- QR Defanging: Enabled
- URL Shortener Detection: Enabled
- Allowed Domains:
microsoft.com,google.com, own domains
Required Permissions
- View: Owner, Operator, Analyst, Auditor
- Configure: Owner, Operator
See Also
- Policies – Apply Link Protection settings specifically through policies.
- Feature Overview – Overview of all MailGuard modules.