Blocking Email Links: Why we use HXXP in emails

Blocking Email Links: Why we use HXXP in emails

January 23, 2018

In the past few months, you may have noticed an increase of the use of “hxxp” to replace “http” at the start of URL links in email messages. For example, http://google.com is changed to hxxp://google.com in a deliberate effort to break the link.

This practice, also known as URL defanging, is in use to discourage the clicking of links in emails. Many malicious emails (e.g. phishing messages) gather personal information by tricking users to click on a URL that looks safe but that ultimately points to a malicious website set up to steal information.

In an effort to discourage users from instinctively clicking on links in emails, we encourage staff and faculty to break the URLs in their emails by using “hxxp”.

Answers to common questions related to this practice are available below:

How can a clickable URL in an email be malicious?

Standard clickable links can appear to go to one destination in an email, but actually direct users to another.   As an example, none of the following clickable links actually take users to the expected destination:

Attackers can use this trick to make a URL appear trusted, and use that trust to their advantage on a malicious website by:

  • Faking a login page and capturing CWL credentials. 
  • Tricking users into downloading and launching a malicious file or application. 
  • Making use of a known exploit in web browsers to compromise the workstation.

What is URL defanging, and why is it used?

URL defanging is the standard term for making URLs non-clickable (e.g. using hxxp vs http).

Email remains the primary source of compromised accounts and workstations here at UBC, either through malicious attachments or clickable malicious URLs.  Our anti-virus/anti-malware solutions do an effective job of automatically protecting us from malicious attachments, but are not able to protect us from malicious URLs.

Defanging a URL ensures that users must make a deliberate decision to visit the intended destination by copying and pasting the URL into their browser address bar.  This is intended to raise the security awareness of end users, which in turn decreases the likelihood of successful phishing attempts.

Do the UBC mail filters defang URLs in the bodies of emails?

No.  Although UBC mail filtering systems have the capability to process and defang URLs, this functionality is not enabled.  Should the decision be made in the future to do automated defanging of URLs, we would communicate this change clearly, in advance, to the UBC community.

Note that Outlook Web Access [OWA] does modify URLs in the body of messages.  Messages viewed through OWA will have their URLs changed to refer back to the OWA server, which then redirects users to the destination.  Gmail does something similar, but you cannot tell by hovering over URLs in messages.

Why do we use hxxp in email we send, and recommend it for mass internal communications?

The use of hxxp is a common method used to defang a URL.  When composing or receiving an email, email software [Outlook, Gmail, iOS mail, etc] will not automatically turn hxxp URLs into clickable links.  We recommend it for mass internal communications to help raise security awareness amongst the UBC community.

Why not just drop the http prefix instead of using hxxp?

We wanted to choose a defanging method that would work everywhere.  Before deciding to use hxxp, we did testing with different mail clients to see how we should handle our own URL defanging.  What we found was:

  • When composing an email, if content that looks like an URL is added to a message, some mail clients automatically make the URL a clickable link even when http/https is not present [Outlook, both web and desktop versions, is guilty of this].
  • When receiving an email, some mail clients automatically make anything that looks like an URL clickable [Gmail on web and iOS, and iOS mail do this.  Outlook, both web and desktop versions, does not].

One way to ensure the desired behavior of ensuring that the URL is never clickable is to use hxxp instead of http.  None of the mail clients we tested would transform URLs prefixed with hxxp into clickable links.

Why not just use plain text emails?

Plain text emails are not as effective at catching attention, arguably not as easy to read, and not as well received when communicating with non-technical members of the community.