Click-Time Protection

Check Point's virtual inline technology provides phishing protection for emails after they have been scanned by Microsoft servers, but before they reach the user’s mailbox.

New attacks became more sophisticated and are able to generate phishing campaigns such that the phishing website they link to does not have any known bad reputation, sometimes for hours and days after the emails are sent.

Click-Time Protection replaces links in the email's body and attachments. The replaced links point to the Check Point inspection services, so that every time a user clicks on a link, the website behind the link is inspected to ensure it is not a phishing website.

Click-Time Protection uses these security engines for inspection.

URL Reputation - Checks if the URL is known to be malicious or holds any malicious references.
URL Emulation - Emulates the website to detect zero-day phishing websites.

Benefits

Most Up-to-Date Intelligence - Inspecting links when the user clicks on the URL allows Check Point to inspect the URL based on the latest inspection intelligence and software capabilities.
Protection against zero-day phishing websites - Inspecting links when the user clicks on the URL allows Check Point to follow the user into the website. Click-Time Protection then emulates the website to expose hidden Phishing indicators. So the Phishing websites that are not known to be malicious are also flagged.
Pointing out the users that clicked the malicious URL - Click-Time Protection forensics allows administrators to detect the users that require further education and training to avoid clicking on malicious links.

Note - Click-Time Protection is available only for Office 365 Mail and Gmail.

Interaction with Microsoft ATP

When other Secure Email Gateways (SEG) are deployed in front of Office 365 (not via API), Microsoft Advanced Threat Prevention (ATP) will not be able to inspect the URLs as they were re-written.

However, as Harmony Email & Collaboration interacts with Microsoft through API, there is no interference with ATP. ATP inspects the URL before Harmony Email & Collaboration re-writes them. So, Click-Time Protection can be used in addition to ATP, as an additional layer of protection.

Configuring Click-Time Protection Engine

To configure Click-Time Protection engine:

Navigate to Security Settings > Security Engines.
Click Configure for Click-Time Protection.
In the Click on links to malicious websites section, select the required option to handle the malicious websites.
- Prevent access to the malicious URL. User has option to proceed.
- Prevent access to the malicious URL. User cannot proceed.
- Do nothing

To replace the QR code in the body of the email to redirect to the rewritten link, select the Replace QR codes in email body checkbox.

Note - For the rewritten QR codes, the structure will be the same as V2 version even if you select to use V1 version. For more information, see Rewritten Check Point URL.

To emulate websites behind links to detect phishing websites with no bad reputation, select the Emulate websites via URL Emulation checkbox.

Note - If the Emulate websites via URL Emulation was disabled, and if the administrator enables it, it could take up to 20 minutes for the URL Emulation to start working.

To inspect files behind links, do these in the Clicks on links leading to file downloads section:
1. Select the Inspect files behind links checkbox.
2. Select a workflow:
  - Prevent download of malicious file. User has option to proceed and download.
  - Prevent download of malicious file. User cannot proceed.
  - Do nothing
3. To allow the download of files if the file inspection exceeds a specific time, do these:
  1. Select the Limit inspection time checkbox.
  2. In the Allow download if inspection takes more than (seconds) field, enter the time in seconds.
  For more information, see Protection Against Malicious Files Behind Links.

Under Advanced, select the required URL version (V1 or V2).

For more information about URL version, see Rewritten Check Point URL.

Note - Check Point recommends using V2 version.

Click Save.

Notes:

To start rewriting the links, you must configure a Click-Time Protection policy. To configure Click-Time Protection policy, see Click-Time Protection Policy.
To create Allow-List or Block-List for Click-Time Protection, see Click-Time Protection Exceptions.

Rewritten Check Point URL

The format of the rewritten Check Point URL is <click-time domain>_<original url>_<encrypted blob>. While configuring the Click-Time Protection engine, administrators can choose the <click-time domain> from these versions:

V1: https://checkpoint.url-protection.com/v1/
V2: https://protect.checkpoint.com/v2/

In the <click-time domain> V2 version, the original URL is surrounded by underscores, making it easier to identify the original (rewritten) URL. Also, the URL is shorter and the domain is different from V1 version.

Notes:

Check Point recommends using V2 version.
For rewritten QR codes, the structure will be the same as V2 version even if you select to use V1 version.

Validity of Rewritten URL

Harmony Email & Collaboration inspects the website behind the rewritten URL only when you have a valid license.
Rewritten URLs remain valid indefinitely, even when you do not have a valid license or when you delete the Infinity Portal.
After the license expires, Harmony Email & Collaboration redirects the rewritten URL to the original URL without inspection.
Harmony Email & Collaboration handles the rewritten URLs as described above regardless of the identity of the user that clicks the URL - internal user, external user, or unidentified user.

Therefore, even if the email is forwarded to a user in your organization that is not protected by Check Point, this user's click is also secured by Check Point.

Replacing Links Inside Attachments - Supported File Types

If you configured the Click-Time Protection Policy to replace links inside the attachments, the links get replaced for these file types:

File Type	File Extensions
Adobe FDF	FDF
Adobe PDF (all versions)	PDF
Microsoft Excel 2007 and later	XLSX, XLSB, XLSM, XLTX, XLTM, XLAM
Microsoft Excel 2007 Binary	XLSB
Microsoft Excel 97 - 2003	XLS
Microsoft PowerPoint 2007 and later	PPTX, PPTM, POTX, POTM, PPAM, PPSX, PPSM
Microsoft PowerPoint 97 - 2003	PPT, PPS, POT, PPA
Microsoft Word 2007 and later	DOCX, DOCM, DOTX, DOTM
Microsoft Word 97 - 2003	DOC, DOT

Protection Against Malicious Files Behind Links

The Anti-Malware security engine emulates the files behind direct download links before delivering them to end users. To prevent attacks in which the file behind the link is altered after the email is sent, this inspection will also take place when users click on such links after they are re-written by Click-Time Protection.

If the file behind the link is found to be malicious, and the Click-Time Protection security engine is configured to block it, access to the file will be blocked.

To configure the workflow in the Click-Time Protection security engine, see Configuring Click-Time Protection Engine.

Click-Time Protection - End-User Experience

After configuring Configuring Click-Time Protection Engine and Click-Time Protection Policy, Harmony Email & Collaboration replaces all URLs in the incoming emails and their attachments with a Check Point URL.

The URL also provides a tool-tip with the original URL, indicating that the link is protected by Check Point.

Note - Formatted tool tips are available on Microsoft Outlook for Mac, Outlook Web Access, and many other clients. Some clients, such as Outlook for Windows, limit the ability to present tool tips and will present the raw rewritten URL.

Clicks on Malicious Websites - End-User Experience

When a user clicks on the URL of a website, Harmony Email & Collaboration checks the target URL.

If the URL is not found to be malicious, the user will be redirected to the original URL.
If the URL is found to be malicious, the user is forwarded to a warning page.
- If the workflow for malicious URLs is Prevent access to the malicious URL. User has option to proceed in the Click-Time Protection security engine, an additional Proceed anyway link will be available in the warning page.

Clicks on Direct Download Links - End-User Experience

When a user clicks a direct download link, the Anti-Malware security engine emulates the file.

If the file is detected as malicious:
- If the configured workflow is Prevent download of malicious file. User cannot proceed, it blocks the file and shows the warning page.
- If the configured workflow is Prevent download of malicious file. User has the option to proceed and download, it blocks the file and shows the warning page. However, the user can click Download anyway to download the file.
If the file is detected as clean, it shows the notification and downloads the file.

Google Drive Preview Links

By default, in the Gmail interface, when there is a link to a file in Google Drive, the email shows the file preview as if it was attached to the email.

But, when Harmony Email & Collaboration rewrites the link, the file preview will not be showed.

Forensics

Each stage of the Click-Time Protection process is recorded for forensic and auditing purposes, from the original URL replacement to the result of the time-of-click scan.

Click-Time Protection processes the events as Malicious Url Click and Proceed to Malicious Url.

Malicious Url Click event is recorded when a user clicks on the rewritten URL and is redirected to the warning page or block page.
Proceed to Malicious Url event is recorded when the user clicks Proceed anyway in the warning page. See Configuring Click-Time Protection Engine.

For multiple recipients, each URL click would generate an event. Events are aggregated by default.

Viewing Emails with the Replaced Links

You can view these details in the Emails with Modified Attachments page.

Emails with attachments, where the links in the attachments were replaced. See Click-Time Protection.
Emails with attachments that were cleaned. See Attachment Cleaning (Threat Extraction).

Note - The page does not show emails where links in the email body were replaced.

Sending the Unmodified Emails to End Users

To send the original email to the end-user, do one of these.

From the Modified Attachments page.
1. Go to User Interaction > Modified Attachments.
2. To send a original email, click the icon for the email from the last column of the request table and select Send Original.
3. To send multiple emails at a time, select the emails and click Send Original from the top-right corner of the page.
4. Click OK.
From the Email profile page.
1. Open the email profile page.
2. In the Email Profile section, click Send for Send Original Email.
3. Click OK.

Viewing Replaced Links and User Clicks

From the Email Profile page
- Under Security Stack, for Click-Time Protection, administrators can view:
  - Replaced Links - All the links replaced by Click-Time Protection engine in the email body and its attachments
  - User Clicks – All the clicks performed by users (for clean and malicious websites)
- Under Email Attachments, attachments with replaced links will be marked with a small icon.
From the Attachment Info page, under Security Stack, administrators can see all the Replaced Links in the attachment.

The list of User Clicks on links inside the attachments and in the email body is available only on the Email Profile page and not on the Attachment info page.

Determining which User Clicked a Link

Identification of the user that clicked a link is based on a cookie Harmony Email & Collaboration adds to the clicking user's browser.

Identification procedure:

When a user clicks on a replaced link in an email sent to only one email address (click number 1), Harmony Email & Collaboration adds a cookie to the user's browser.
If the user clicks (click number 2) on another replaced link in an email using the same browser within 30 days of the previous click, and the email is sent to the same email address, the user's identity will be linked to that browser.
Click number 2 and all future clicks on replaced links (that are opened on the same browser) within the next 365 days will be attributed to the user, regardless of the number of email recipients.
After 365 days from click number 1, the cookie is removed from the browser, and the procedure restarts.

Example: Every row in this table describes a click on a replaced link by John Smith:

Date	Email recipients	John Smith's browser	Reported clicked user	Why the user is reported as the clicked user?
01 January 2023	John Smith	Cookie is added	Undetermined	One click is not enough to determine the user as John Smith.
02 January 2023	John Smith Mary Brown James Wilson	Cookie is still valid	Undetermined	Waiting for another click from this browser on links in emails with a single recipient.
03 January 2023 (or any date before 30 January 2023)	John Smith	Cookie is still valid	John Smith	John Smith clicked the replaced link (click number 2) in an email (sent only to one person) using the same browser within 30 days from the previous click. So, John Smith is reported as the clicked user.
20 February 2023 (or any date before 01 January 2024)	John Smith Mary Brown James Wilson	Cookie is still valid	John Smith	As the cookie is still valid, John Smith is reported as the clicked user though the email is sent to multiple users.
01 January 2024	John Smith	New cookie is added	Undetermined	Now, as 365 days are complete from the first click (click number 1), the old cookie is removed, a new cookie is added, and the user identification procedure starts again.