Add Support For Proofpoint URL Defense (v1, V2, V3)
Add Support for Proofpoint URL Defense (v1, v2, v3)
Introduction
Proofpoint URL Defense is a popular corporate security tool that scans incoming emails for known malicious hyperlinks and rewrites them into a standardized format. This article provides an overview of the three versions of Proofpoint URL Defense (v1, v2, and v3) and their respective URL rewriting formats. We will also provide untested AI-generated rules for each version.
Proofpoint v1 (Parameter-Based Encoding)
Proofpoint v1 uses a parameter-based encoding format, where the original URL is encoded as a parameter in the URL. The format is as follows:
https://urldefense.proofpoint.com/v1/url?u=<encoded_url>&k=...
The u parameter contains the encoded URL, and the k parameter contains a key used for decoding.
Example 1
https://urldefense.proofpoint.com/v1/url?u=http://www.bouncycastle.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=IKM5u8%2B%2F%2Fi8EBhWOS%2BqGbTqCC%2BrMqWI%2FVfEAEsQO%2F0Y%3D%0A&m=Ww6iaHO73mDQpPQwOwfLfN8WMapqHyvtu8jM8SjqmVQ%3D%0A&s=d3583cfa53dade97025bc6274c6c8951dc29fe0f38830cf8e5a447723b9f1c9a
Result
http://www.bouncycastle.org/
Example 2
https://urldefense.proofpoint.com/v1/url?u=http://273581.blogspot.in&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=FGyPC8ZSvBkKihkoeKgCmjuZI2qYJ8xvSchS1aM1v%2Fc%3D%0A&m=qLIznQNR7IEQMWupRLJS911Wa1eCAcyA59ksdF17tcA%3D%0A&s=a5e5b1dc50e65548c1f705fea389d97f2a568882fd391c4f0db20cfe073a7af7
Result
http://273581.blogspot.in
Untested Rule for Proofpoint v1
{
"providers": {
"Proofpoint v1": {
"urlPattern": "^https://urldefense(?:\\.proofpoint)?\\.com/v1/url\\?.*",
"redirections": [
{
"pattern": ".*[?&]u=([^&]+).*",
"replacement": "$1",
"decode": true
}
],
"forceRedirection": true
}
}
}
Proofpoint v2 (Character-Substituted Encoding)
Proofpoint v2 uses a character-substituted encoding format, where the original URL is encoded by substituting certain characters.
Format
https://urldefense.proofpoint.com/v2/url?u=<special_encoded_url>&d=<flags>&c=...
Example 1
https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt3337.com_ctt-3Fkn-3D3-26ms-3DMzQ3OTg3MDQS1-26r-3DMzkxNzk3NDkwMDA0S0-26b-3D0-26j-3DMTMwMjA1ODYzNQS2-26mt-3D1-26rt-3D0&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=MujLDFBJstxoxZI_GKbsW7wxGM7nnIK__qZvVy6j9Wc&m=QJGhloAyfD0UZ6n8r6y9dF-khNKqvRAIWDRU_K65xPI&s=ew-rOtBFjiX1Hgv71XQJ5BEgl9TPaoWRm_Xp9Nuo8bk&e=
Result
http://links.mkt3337.com/ctt?kn=3&ms=MzQ3OTg3MDQS1&r=MzkxNzk3NDkwMDA0S0&b=0&j=MTMwMjA1ODYzNQS2&mt=1&rt=0
Example 2
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dcnewsnow.com_living-2Dlocal-2Ddmv_best-2Dchampagnes-2Dto-2Dring-2Din-2Dthe-2Dnew-2Dyear-2Dwith-2Dla-2Dboheme_&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=TzxNEAPVqkZK05S_pt5QBfPwZ2NTW-DyaXcE-WvbnBw&m=SHYmvtp6NSxUTdhJyPMS0re3hFc5wuZwV56k1_8nkDUbh54fvHtSiWYHQd-bUK9q&s=zAfZEmWOYNZcCo5FHAsdf_HDJt_4ImTY2WJe1XY1rww&e=
Result
https://www.dcnewsnow.com/living-local-dmv/best-champagnes-to-ring-in-the-new-year-with-la-boheme/
Note
v2 URLs use - for % and _ for /, which needs to be corrected.
Untested Rule for Proofpoint v2
{
"providers": {
"Proofpoint v2": {
"urlPattern": "^https://urldefense(?:\\.proofpoint)?\\.com/v2/url\\?.*",
"redirections": [
{
"pattern": ".*[?&]u=([^&]+).*",
"replacement": "$1",
"decode": true
},
{
"pattern": "-",
"replacement": "%"
},
{
"pattern": "_",
"replacement": "/"
}
],
"forceRedirection": true
}
}
}
Proofpoint v3 (Double Underscore __ Wrapping)
Proofpoint v3 uses a double underscore __ wrapping format, where the original URL is wrapped between __ markers.
Format
https://urldefense.com/v3/__<original_url>__...
Example 1
https://urldefense.com/v3/__https://google.com:443/search?q=a*test&gs=ps__;Kw!-612Flbf0JvQ3kNJkRi5Jg!Ue6tQudNKaShHg93trcdjqDP8se2ySE65jyCIe2K1D_uNjZ1Lnf6YLQERujngZv9UWf66ujQIQ$
Result 1
https://google.com:443/search?q=a+test&gs=ps
Example 2
https://urldefense.com/v3/__https:/www.healthaffairs.org/doi/full/10.1377/hlthaff.2024.00452?utm_campaign=march*2025*issue&utm_medium=email&_hsenc=p2ANqtz--1UtwuwdFSFcDhgrRowAjYInCOkvC-i1aM4HIyHQqK2P6fRHtXwrzzgWqPwFKWCQc7WDkHUi6lYzxahogkIm0B-x8KvA&_hsmi=348087923&utm_content=ahead*of*print&utm_source=hat__;KysrKw!!F9wkZZsI-LA!AnYx62yTcCGzXVzIxcCIoMgSHAq-S3UkrBnGvqJIglEbffLc4vDdeJJ0rRYNjF5WfXmGBx3vMgCMELYj7wwKVi0$
Result 2
`https://www.healthaffairs.org/doi/full/10.1377/hlthaff.2024.00452?utm_campaign=march+2025+issue&utm_medium=email&_hsenc=p2ANqtz--1UtwuwdFSFcDhgrRowAjYInCOkvC-i1aM4HIyHQqK2P6fRHtXwrzzgWqPwFKWCQc7WDkHUi6lYzxahogkIm0B-x8KvA&_hsmi
Q&A: Proofpoint URL Defense (v1, v2, v3)
Q: What is Proofpoint URL Defense?
A: Proofpoint URL Defense is a popular corporate security tool that scans incoming emails for known malicious hyperlinks and rewrites them into a standardized format.
Q: What are the different versions of Proofpoint URL Defense?
A: There are three versions of Proofpoint URL Defense: v1, v2, and v3. Each version has a different URL rewriting format.
Q: What is the format of Proofpoint v1?
A: The format of Proofpoint v1 is https://urldefense.proofpoint.com/v1/url?u=<encoded_url>&k=.... The u parameter contains the encoded URL, and the k parameter contains a key used for decoding.
Q: What is the format of Proofpoint v2?
A: The format of Proofpoint v2 is https://urldefense.proofpoint.com/v2/url?u=<special_encoded_url>&d=<flags>&c=.... The u parameter contains the encoded URL, and the d parameter contains flags used for decoding.
Q: What is the format of Proofpoint v3?
A: The format of Proofpoint v3 is https://urldefense.com/v3/__<original_url>__.... The original URL is wrapped between __ markers.
Q: How do I decode a Proofpoint v1 URL?
A: To decode a Proofpoint v1 URL, you need to extract the u parameter and decode it using the key provided in the k parameter.
Q: How do I decode a Proofpoint v2 URL?
A: To decode a Proofpoint v2 URL, you need to extract the u parameter and decode it using the flags provided in the d parameter. You also need to correct the character substitutions used in the URL.
Q: How do I decode a Proofpoint v3 URL?
A: To decode a Proofpoint v3 URL, you need to extract the original URL wrapped between __ markers and decode it.
Q: What are the untested rules for each version of Proofpoint URL Defense?
A: The untested rules for each version of Proofpoint URL Defense are provided below:
- Proofpoint v1: ```json "providers" ], "forceRedirection": true } } }
* Proofpoint v2: ```json
{
"providers": {
"Proofpoint v2": {
"urlPattern": "^https://urldefense(?:\\.proofpoint)?\\.com/v2/url\\?.*",
"redirections": [
{
"pattern": ".*[?&]u=([^&]+).*",
"replacement": "$1",
"decode": true
},
{
"pattern": "-",
"replacement": "%"
},
{
"pattern": "_",
"replacement": "/"
}
],
"forceRedirection": true
}
}
}
- Proofpoint v3: ```json "providers" ], "forceRedirection": true } } }
**Q: How do I use these untested rules?**
A: You can use these untested rules by implementing them in your URL decoding logic. However, please note that these rules are untested and may not work as expected.
**Q: Where can I find more information about Proofpoint URL Defense?**
A: You can find more information about Proofpoint URL Defense on the Proofpoint website, including documentation and FAQs.