Blocking Email Links: Why we use HXXP in emails

Standard clickable links can appear to go to one destination in an email, but actually direct users to another.   As an example, none of the following clickable links actually take users to the expected destination:

• www.google.com
• http://www.google.com
• https://www.ubc.ca
• http://bc.net

Attackers can use this trick to make a URL appear trusted, and use that trust to their advantage on a malicious website by:

• Faking a login page and capturing CWL credentials. 
• Tricking users into downloading and launching a malicious file or application. 
• Making use of a known exploit in web browsers to compromise the workstation.

URL defanging is the standard term for making URLs non-clickable (e.g. using hxxp vs http).

Email remains the primary source of compromised accounts and workstations here at UBC, either through malicious attachments or clickable malicious URLs.  Our anti-virus/anti-malware solutions do an effective job of automatically protecting us from malicious attachments, but are not able to protect us from malicious URLs.

Defanging a URL ensures that users must make a deliberate decision to visit the intended destination by copying and pasting the URL into their browser address bar.  This is intended to raise the security awareness of end users, which in turn decreases the likelihood of successful phishing attempts.

No.  Although UBC mail filtering systems have the capability to process and defang URLs, this functionality is not enabled.  Should the decision be made in the future to do automated defanging of URLs, we would communicate this change clearly, in advance, to the UBC community.

Note that Outlook Web Access [OWA] does modify URLs in the body of messages.  Messages viewed through OWA will have their URLs changed to refer back to the OWA server, which then redirects users to the destination.  Gmail does something similar, but you cannot tell by hovering over URLs in messages.

The use of hxxp is a common method used to defang a URL.  When composing or receiving an email, email software [Outlook, Gmail, iOS Mail, etc] will not automatically turn hxxp URLs into clickable links.  We recommend it for mass internal communications to help raise security awareness amongst the UBC community.

We wanted to choose a defanging method that would work everywhere.  Before deciding to use hxxp, we tested different mail clients.  What we found was:

• When composing an email, if the content that looks like a URL is added to a message, some mail clients automatically make the URL a clickable link even when http/https is not present [Outlook, both web and desktop versions, is guilty of this].
• When receiving an email, some mail clients automatically make anything that looks like a URL clickable [Gmail on web and iOS, and iOS mail does this.  Outlook, both web and desktop versions, does not].

One way to ensure the desired behaviour of ensuring that the URL is never clickable is to use hxxp instead of http.  None of the mail clients we tested would transform URLs prefixed with hxxp into clickable links.

Plain text emails are not as effective at catching attention, arguably not as easy to read, and not as well received when communicating with non-technical members of the community.

Copy and paste the URL into your browser and replace hxxp with http