← Back to all blogs

What is Link Rewriting in Email Security? How Safe Links Work

|5 min read|Vinodh Kumar Balaraman

Most organisations assume link rewriting means their users are protected. It does not. It means a reputation check ran before the click. What happens after that check is where the real exposure begins. This blog breaks down how Safe Links works, where it stops, and why isolated browsing is the layer that closes the gap.

If your organisation runs Microsoft 365, the URLs inside your emails are not the originals. Before the message reached your inbox, every link was quietly replaced with a rewritten proxy version. Most users never notice. But understanding what that rewrite actually does, and where it stops, matters more than most security teams realise.

Link rewriting is straightforward. When an inbound email arrives at your mail gateway, the security platform replaces each original URL with a new one pointing to the vendor's own scanning infrastructure. When a user clicks that link, they first hit the vendor's servers. A quick check runs. If the URL clears, the user is forwarded to the destination. If it is flagged, access is blocked.

It introduces a security checkpoint between the inbox and the browser. That is genuinely useful. But the strength of that checkpoint depends entirely on what the inspection behind it actually does.

Microsoft Defender for Office 365 implements link rewriting through Safe Links. It rewrites URLs during mail flow and performs a time-of-click reputation check when the user actually clicks, not just at delivery. This is an important distinction. Checking at the moment of click rather than only at arrival helps catch a category of attacks where a URL is clean at delivery but malicious by the time it is opened.

If the URL passes the reputation check, the user is forwarded to the destination in their own local browser. That detail matters, and we will come back to it.

Where Reputation-Based Checking Falls Short

Safe Links is a solid baseline. But reputation-based inspection has structural limits that attackers exploit routinely.

Freshly registered phishing domains have no reputation history and pass checks cleanly. Time-delayed redirects switch destination content after the check completes. Legitimate platforms like SharePoint or Google Drive almost always clear reputation filters regardless of what content sits behind the link.

In each of these cases the rewriting worked exactly as designed. The gap is not a flaw in implementation. It is a limitation of using reputation as the final line of defence.

The Real Question: What Happens After the Click?

When a URL passes inspection and the user is forwarded to the destination, they land on that page inside their own local browser, on their own device, connected to their own network. If the destination turns out to be malicious, the endpoint and network are fully exposed from that point forward.

This is the part of the link rewriting conversation that does not get enough attention. The rewrite creates a checkpoint. But once a URL clears that checkpoint, the security envelope around the user's session disappears entirely.

The more meaningful question to ask of any link security solution is not just whether it checks the URL before the user gets there. It is what it does with the user's session when the URL cannot be confidently verified as safe.

A Different Approach to What Happens Next

Rather than using reputation as a binary gate that either blocks or fully releases a user, a stronger model keeps the browsing session isolated regardless of the check outcome.

Trusted links with a clean, established history open normally. Everything else opens inside an isolated browsing environment that sits completely outside the user's device and network. The user interacts with the page as they normally would. But the execution happens in a contained session where threats cannot reach through to the endpoint, no matter what the destination attempts to do.

This is the approach CyberCheck360 takes. Link rewriting is not the differentiator. What happens after the click is. By routing unverified links through isolated browsing sessions rather than releasing users directly to their local browser, the residual risk that exists even after a clean reputation check is removed from the equation.

The user stays productive. The network stays protected.

What This Means for Your Security Stack

Microsoft Safe Links is worth having properly configured if you are in the Microsoft 365 ecosystem. It provides real baseline coverage and the time-of-click model is meaningfully better than delivery-time scanning alone.

But for organisations where targeted phishing and novel infrastructure are realistic threats, which for most enterprises they are, a reputation gate as the final checkpoint leaves an exposure window that is worth closing deliberately.

Link rewriting is a strong first layer. Isolated browsing is what makes that layer complete.

See It in Action

CyberCheck360 provides click-time URL protection that keeps unverified links inside an isolated browsing session, protecting your endpoints and networks even when a threat has never been seen before.

Book a Demo at cybercheck360.com

Published by CyberCheck360 | Specialised URL Sandboxing and Click-Time Protection cybercheck360.com

Tags

Link Rewriting Email URL Rewriting Safe Links Email Security Microsoft Safe Links Click-Time Protection Phishing Protection URL Sandboxing Isolated Browsing Microsoft Defender Enterprise Email Security Zero-Day Phishing CyberCheck360

Categories

Cybersecurity Email Security URL Security Enterprise IT Security Architecture Microsoft 365 Security

Learn more:Contact us