What is URL Defense?

URL Defense is a security feature built into Proofpoint Essentials that protects you from malicious links in emails. When an email passes through Proofpoint, every URL in the message is rewritten so that clicking a link routes the request through Proofpoint’s security checks before you reach the destination.

This means that instead of a link going directly to a website, it first passes through Proofpoint, which analyses the destination in real time. If the link is safe, you’re redirected to the original page as normal. If the link is malicious, Proofpoint blocks the request and shows you a warning page.

Why do my links look different?

You may notice that links in your emails look something like this:

https://urldefense.proofpoint.com/v2/url?u=https-3A__teams.microsoft.com_


In this example, the original link was simply https://teams.microsoft.com/meet/36454132144330 — a standard Microsoft Teams meeting link. After passing through Proofpoint, it gets wrapped with the URL Defense security layer, which is why it looks much longer and more complex.

This is completely normal. It means Proofpoint is actively protecting you by checking every link before you reach the destination. The original link is still there — Proofpoint just verifies it first.

Important: These rewritten URLs are not spam and they are not a sign that your email has been compromised. They are a security feature protecting you from clicking on dangerous links.

What happens when I click a rewritten link?

When you click a Proofpoint-rewritten link, one of two things happens:

  1. The link is safe — Proofpoint checks the destination, confirms it is not malicious, and redirects you to the original website. This happens almost instantly and you may not even notice the check taking place.
  2. The link is blocked — Proofpoint determines that the destination is malicious or suspicious and displays a warning page instead. You will not be taken to the dangerous website.

The key benefit of this approach is that Proofpoint checks the link at the time you click it, not just when the email was delivered. This means that even if a link was safe when the email arrived but was later compromised, Proofpoint will still catch it.

What should I do if a link is blocked?

If Proofpoint blocks a link you believe is legitimate:

  1. Do not try to bypass the block by copying and pasting the URL manually.
  2. Contact your IT administrator or raise a support ticket with Constant Edge. Provide the original email and the URL you were trying to reach.
  3. Your administrator can review the block and, if the link is genuinely safe, add it to the allow list.

 

Information for IT administrators

How URL Defense works

URL Defense rewrites all URLs in inbound email messages as they pass through Proofpoint’s email gateway. The rewritten URL directs click traffic through Proofpoint’s analysis engine, which performs real-time threat assessment at click time. This includes checking the URL against Proofpoint’s threat intelligence, analysing the destination page for phishing indicators, and sandboxing unknown or suspicious content.

URL Defense is enabled by default on Proofpoint Essentials accounts. No additional configuration is required to activate it.

Managing blocked URLs

If a user reports that a legitimate URL has been blocked, you can manage this through the Proofpoint Essentials admin console:

  1. Log into the Proofpoint Essentials admin console.
  2. Navigate to Security Settings > URLs.
  3. Add the domain or specific URL to the Allow List.

Note: Only add URLs to the allow list if you have verified they are safe. Allow-listing a compromised domain will bypass URL Defense protection for all users in your organisation.


Common questions from users:

You may receive tickets from users about URL Defense. The most common queries are:

User query

Response

“All my links look weird / have been changed”

This is URL Defense working as intended. Reassure the user that it is a security feature and their emails have not been compromised.

“I can’t access a link”

Check whether the URL has been blocked by Proofpoint. If it is a false positive, add it to the allow list.

“Can I turn this off?”

URL Defense is a core part of your email security and should not be disabled. If a user is having issues with specific links, address those individually rather than disabling the feature.


URL Defense versions

Proofpoint has released several versions of URL Defense over time. The version determines the format of the rewritten URLs:

  • v1 — Older format, rarely seen on current deployments
  • v2 — Most common format currently in use. URLs begin with https://urldefense.proofpoint.com/v2/url?
  • v3 — Newer format using a shorter, encoded URL structure

The version in use depends on your Proofpoint account configuration. All versions provide the same click-time protection.

 

Related articles

Problems with Proofpoint? Fix Them Fast

We diagnose and resolve Proofpoint issues quickly — from email delivery problems to configuration errors — keeping your business secure and running smoothly.

Speak to an expert