Writing Wrongs: Why Mimecast’s link rewriting gives a false sense of security

4 min read.

News Article
25 January 2021

Having worked in legal technology for over 20 years, we know that many law firms rely on Mimecast email security to detect and defend against malicious links targeting employees. We therefore read with interest a blog written by Dan Fein, Director at Darktrace – who explains the process that an e-mail gateway undertakes to rewrite these harmful links – and confirms why this sense of protection is infact a misconception and won’t provide the required security that your business needs to remain compliant and safe.

Link rewriting is a common technique that involves encoding URLs sent via email into a link that redirects the user to the gateway’s own servers. These servers contain some unique codes which then track the user and perform later checks to determine whether the link was malicious. In fact, an email gateway’s reliance on this technique is actually an indicator of one of their fundamental flaws: their reliance on rules and signatures of previously recognised threats, and their consequent inability to stop threats on the first encounter.

The reason these tools pre-emptively rewrite links is so they can make a determination later on: with the link now pointing to their own servers, they can leverage their updated assessment of that link and block a malicious site, once more information has become available (and often once ‘patient zero’ has become infected; and the damage is already done).

How Can You Measure Success?

Dan Fein goes on to discuss how you can measure success and highlights that whilst a product like Mimecast will rewrite near enough 100% of links entering your systems – even if the links are directing you to safe and trusted URLs including your ‘own’ website – this process doesn’t necessarily indicate that your data is secure.

Furthermore, whilst nearly all links are re-written, issues then arise when training your staff to identify a phishing email – as this task becomes almost impossible given nearly every link they receive reads ‘mimecast.com’. With this approach, one link can’t be distinguished as harmful from another, whilst employees also gain a ‘sense of security’ that Mimecast is there and protecting them from opening something that could be rogue or infectious – when infact Mimecast doesn’t itself have the answers at this stage.

What’s The Solution?

Whilst watching Darktrace’s Antigena Email run alongside Mimecast – Dan reveals that over the course of three days the customer received 155,008 emails containing rewritten links by Mimecast (see Figure 1). Of those emails with rewritten links, 1,478 were anomalous and were blocked by Darktrace’s AI before they reached the recipient and caused any harm. The remaining 153,530 links had been unncecessarily rewritten.

Figure 1: Over 155,000 inbound emails contained rewritten Mimecast links

What is most worrying is that once clicked – those anomalous links that needed stopping in their tracks – would sit for potentially weeks before any meaningful action was taken by Mimecast, due to the limitations of identifying real-time and first-encounter threats.

Dan goes on to explain the restrictions of legacy email protection tools in more detail and provides substantial evidence of why the metrics tools such as Mimecast use to identify malicious behaviour, won’t keep your systems and client data safe. To read Dan’s full blog and other related content, please click here >>

In summary and having seen the technologies in action ourselves, we can conclude that rewriting links cannot viably prevent malicious content from infecting your systems. In contrast Darktrace’s Antigena Email solution allows you to review your organisations entire digital estate – not just links that are accessed from emails, but network activity as a whole – and will lock/resolve any level of threat that it identifies as untrusted or malicious.

Protect Your Dynamic Workforce Today! In Real-Time… 

While Mimecast rewrites everything in order to leave the door open and make assessments later on, Darktrace is able to take action when it needs to – before an email poses a threat to the inbox. The technology is uniquely able to do this due to its high success rates for malicious emails seen on first encounter and its sophisticated approach to detection that uses AI to catch a threat – regardless of whether or not that threat has been seen before.