Blog Data Security

The Hidden Risks of URL Rewriting and the Superior Alternative for Email Security

URL rewriting is a common practice in email security. As threats evolve, it's clear that this approach has limitations and potential vulnerabilities.
Stephen Kowski
3 min read
Last updated November 5, 2025
URL Rewriting

Contents

    URL rewriting, a service designed to neutralize malicious URLs by redirecting users to a safe environment, has been a common practice in email security. However, as cyberthreats evolve, it's becoming clear that this approach has limitations and potential vulnerabilities. 

    URL rewriting emerged as a creative solution about a decade ago when secure email gateways (SEGs) were the primary source of email defense. It addressed the challenge of delivering emails quickly while protecting against malicious links. The approach involved rewriting potentially harmful URLs so that when clicked, they would first be analyzed by an engine to determine their safety.

    While innovative at the time, the changing technological landscape and new security challenges have made this solution increasingly less effective over time and also introduced new challenges we will cover here. With Integrated Cloud Email Security (ICES) solutions, many of the original delivery challenges no longer apply, and more advanced URL analysis capabilities are now available.

    URL rewriting: the good intentions and where they fall short  

    URL Rewriting has been a common email security practice, promising to safeguard users from the onslaught of cyber threats. Yet, it's increasingly clear that its efficacy is fading with time. Here's why:

    1. Weakening defense-in-depth strategy: Rewritten URLs can bypass other security tools, potentially leaving threats unexamined.
    2. Business Email Compromise (BEC) deception: URL rewriting delivers malicious messages with one part of the malicious message modified. This fails to address the BEC aspect of the attack, which relies more on social engineering than on malicious code. This allows the user to respond to an attacker and gives an attacker a new attempt to phish them through other means.
    3. Hindering security culture development: Rewriting obscures the true destination of links, discouraging users from developing good security habits like verifying URLs before clicking.
    4. Configuration drift: Not all URLs are consistently rewritten due to various vendor-specific protocols or administrative configurations, inadvertently creating security gaps.
    5. Impersonation and false security: Attackers impersonate vendor URL rewriting and exploit users' trust in relying upon vendor-rewritten URLs to enhance their phishing attempts. 

    See Varonis Interceptor in action.

    Request a demo
    Blog_CloudSecurityRisks

    Browser live scanning: an essential messaging security functionality  

    With the current approach's flaws exposed, it's time to pivot to a methodology that offers a more profound layer of protection: Live Scanning. This method doesn't just rewrite; it removes and rescues, while also providing a layer of defense against other 3D link-based phishing techniques. Here's how:

    • Persistent browser-level ML: Even after the initial scan, machine learning algorithms at the browser level continue to tirelessly seek out anomalies or threats that may have slipped past the first defense.
    • Content and intent analysis: Every message is thoroughly examined — not just for questionable URLs and attachments but also for the intent behind them, addressing the nuanced nature of modern cyber threats.
    • Zero-tolerance policy: If any element of a message is flagged as malicious, the entire message is extricated from the environment. It's a complete excision rather than a superficial cover-up.
    • The mantra — don't rewrite, remove: By bypassing the URL rewriting step, we maintain transparency with users and ensure that security doesn't just appear comprehensive—it is comprehensive. 

    How Live Scanning changes the game

    Live Scanning is not a mere iterative improvement over existing security measures; it's a leap forward. Here's a glimpse into its inner workings, leveraging our proprietary technology:

    • Maintain malicious click tracking visibility: Malicious click tracking is lost with most ICES solutions, but by using browser protection, you aren’t forced to choose. You get the best blend of the old and the new strategies in one easy, convenient package.
    • Computer vision technology: At the core of Live Scanning lies our proprietary computer vision technology. When a suspicious attachment is encountered, this technology meticulously inspects it to detect if it harbors a 0-hour phishing attempt.
    • Evasion countermeasures: Sophisticated attackers often use CAPTCHA pages or convoluted scripts to obscure a URL's true destination. Live Scanning deftly navigates these evasive techniques to unveil the threat they conceal.
    • Deep content analysis: Live Scanning dissects the page: the language, HTML source code, and anomalies with the Document Object Model (DOM) interface, etc. This in-depth interaction allows for the assessment of potential risks within the fabric of the content.
    • Behavioral contextualization: Beyond static analysis, Live Scanning applies behavioral contextualization to understand and identify malicious intent or activity embedded within the page. It's a predictive rather than a reactive stance, taking cues from subtle indicators of malevolence.
    • Autonomous email inspection: In email, Live Scanning doesn't rely on a user's click to spring into action. Our latest virtual browser technology (“Project Phantom”) examines the content within an email, preemptively identifying and neutralizing threats before they ever have a chance to engage the user. 

    Don’t wait for a breach to occur.

    In conclusion, it's time we move beyond the comfort zone of traditional URL rewriting and adopt Live Scanning for a more secure and transparent defense mechanism. It's not just about making the digital space safer — it's about making security a clear and understandable pillar of our everyday online interactions.

    Don't let outdated security measures leave your organization vulnerable. Embrace the future of email security with Varonis Interceptor, our AI-native email security solution with the best detection rate on the planet. 

    Schedule a demo to see how Interceptor can protect your business from evolving cyber threats and provide superior defense against phishing attacks.

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Stephen Kowski
    Stephen Kowski J Stephen Kowski is email security professional with over a decade of experience as an email administrator and security analyst. When he isn’t helping companies fight threat actors, he is helping run a high school robotics charity in his community as one of the original founders 17 years ago.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    trusted-vendors,-twisted-links:-the-dark-side-of-url-rewriting
    Trusted Vendors, Twisted Links: The Dark Side of URL Rewriting
    trusted-vendors,-twisted-links:-the-dark-side-of-url-rewriting
    Stephen Kowski
    October 24, 2025
    Discover how attackers use advanced URL rewriting tricks to bypass traditional blocklists and how organizations can stay ahead of evolving threats.
    ai-powered-phishing-is-outpacing-traditional-defenses-—-here’s-how-to-keep-up
    AI-Powered Phishing Is Outpacing Traditional Defenses — Here’s How to Keep Up
    ai-powered-phishing-is-outpacing-traditional-defenses-—-here’s-how-to-keep-up
    Lexi Croisdale
    October 21, 2025
    AI-powered phishing is outsmarting email security. Discover a multilayered defense from Gartner and how Varonis Interceptor protects your inbox.
    inbox-infiltration:-the-file-type-you’re-overlooking
    Inbox Infiltration: The File Type You’re Overlooking
    inbox-infiltration:-the-file-type-you’re-overlooking
    Stephen Kowski
    October 16, 2025
    Discover how attackers use SVG files to hide malicious JavaScript in images, and learn how to defend against these evolving phishing threats.
    what-is-database-activity-monitoring?-dam-explained
    What is Database Activity Monitoring? DAM Explained
    what-is-database-activity-monitoring?-dam-explained
    Daniel Miller
    October 13, 2025
    A critical component of any organization's security strategy, Database Activity Monitoring tools are used by organizations to fulfill compliance criteria and protect sensitive data.