[Question] Handling URL rewrite

[dreadfulangry]

My environment passes all email through Cisco Secure Email Security, which will rewrite URLs with a neutral or unknown reputation to redirect them to the Cisco Web Security Proxy for click-time evaluation of their safety.

For those emails which slip through and are reported as suspicious/malicious, I would like to use ThePhish as my analysis and logging platform.

Does ThePhish have a capability to decode these URL rewrites so that the true URL is analyzed ?

[emalderson]

At the moment ThePhish is only able to unshorten links that are shortened using some common URL shorteners, it doesn't support URL rewriting for specific platforms like the one you mentioned. However, if you know what are the steps performed during this transformation, it may be trivial to write a function that reverts the process so that it's called before the URL is analyzed.

[dreadfulangry]

For URL Cisco Email Security platform the transformation of URL appears to be like this:

Rewritten URL: [https://secure-web.cisco.com/random characters]/[original URL]

For example: https://secure-web.cisco.com/1xt_Q6ZAR4wF9qSlDmUh0mMhtITq63qVuIdezFs9ZMTkLTplNMxejSax_GNnlh_1rXHOJyM80vpmLWh1V_-aGiS8XjBGoOP5F9LeO9yVnSrAOmikN_bT7CqzTROxLdf6_tWtloE9pOHutmhH3QhOInShi8d7WggTSLo7Ozlt9iMpcNSp3hdxP5TErotN0oJiBe8kIwx4bhat6F6g8GgqDVPZNSmoDEK5PcFPxaS0RF5lVzv5yMF2tY8DIewUW53Z-1CYjmhxe1CB7xjlqbQZLMT7quWcYcCRH41EQkQwQnj8HXQBXXGxBDI4dJm8apvJ6/https%3A%2F%2Fgithub.com%2Femalderson%2FThePhish%2Fissues%2F27%23issuecomment-1265259160

I believe a Python function like this can be used to revert the URL transformation process:

scss
def revert_url(rewritten_url):

    original_url = rewritten_url.split("/")[-1]

    original_url = original_url.replace("%3A", ":").replace("%2F", "/")

    return original_url

This function takes a rewritten_url as input and returns the original URL by splitting the rewritten_url into parts using the / character as a separator, then taking the last part (the part after the last /) and replacing %3A with : and %2F with /.

I think you can use this function like this:

perl

rewritten_url = "https://secure-web.cisco.com/1xt_Q6ZAR4wF9qSlDmUh0mMhtITq63qVuIdezFs9ZMTkLTplNMxejSax_GNnlh_1rXHOJyM80vpmLWh1V_-aGiS8XjBGoOP5F9LeO9yVnSrAOmikN_bT7CqzTROxLdf6_tWtloE9pOHutmhH3QhOInShi8d7WggTSLo7Ozlt9iMpcNSp3hdxP5TErotN0oJiBe8kIwx4bhat6F6g8GgqDVPZNSmoDEK5PcFPxaS0RF5lVzv5yMF2tY8DIewUW53Z-1CYjmhxe1CB7xjlqbQZLMT7quWcYcCRH41EQkQwQnj8HXQBXXGxBDI4dJm8apvJ6/https%3A%2F%2Fgithub.com%2Femalderson%2FThePhish%2Fissues%2F27%23issuecomment-1265259160"

original_url = revert_url(rewritten_url)

print(original_url)

Which should output:

bash

https://github.com/emalderson/ThePhish/issues/27#issuecomment-1265259160

[dreadfulangry]

BTW sorry for the slow reply! Happy to help more if I can?!

[tordormore]

AppRiver (formerly ZixCorp) does something similar. It takes a url and puts it in the format of (https://link.edgepilot.com/s/randomcharacters)u=(https://Original URL) NOTE: Parentheses added by me. Would love to have a feature added to automatically transform those back to the original URL.