The script requires a valid enrollment cookie "borrowed" from an already enrolled browser. This allows me to quickly decode a URL on the command line to see what it is, and in a format that can then be copied and pasted. But rather than follow the redirection to the original URL, the script simply displays that URL in the console. I decided to write a simple python script to simulate the URL decoding process that happens in an enrolled browser. This can be easily exported to other systems or used in command line tools such as curl.
SolutionĪfter some basic investigation, it appears that the enrollment status of a browser is simply kept in a single session cookie. Also I feel this can be a bit accident prone - if you forgot to add the '+' or pressed Enter after paste you will be taken to the URL without further warning. This is a great way to manually preview the URL, however the URL is actually an image, which is no good if you want to grab the URL as plain text to take to other systems. Mimecast has a built-in Preview URL feature and to use you, you need to paste the URL into an enrolled browser with an additional '+' character at the end of the URL. I only came across this while writting this tool and I must admit that this is quite a handy feature, albeit not intuitive to use. Also you will need to supply an API authentication token, which is of course good security, but unfortunately also requires you to have admin level access. This again is cumbersome without some additional wrapper script. Mimecast has also very helpfully provided an API function that can be used to decode these URLs. Use the Decode Function provided by the API Also the dashboard page is only accessible by admins. However to use this, you need to be logged in to the Administration Console and navigate the web UI, which takes a lot of time considering that without the URL Protection feature, you only need to move the mouse over the link to see where it points to. On the surface, this sounds really promising.
Decode Tool on the URL Protection Dashboard Also you are stuck if you want to use a command line tools such as curl or wget. While device enrollment is quite straight forward, the enrollment status is not preserved in incognito/private browsing session. This is not a desireable behaviour if you suspect the link might take you to a malicious web site.Īlso when Device Enrollment is configured, the encoded URL can only be decoded from a browser session which is enrolled. The main issue with using the browser is that Mimecast automatically redirects you to the page. Mimecast provides several methods for decoding URLS but each presents its own challenges: From an Enrolled Browser
For example, a help desk technician might wish to investigate the hyperlinks embeded in a suspected spam email, or a cyber security analyst might wish to investigate a malware delivery email by following the link in a sandboxed environment. This is a common scenario for technical personnels. The problem comes when a user wishes to retrieve the original URL without first visiting it. URLs in emails are replaced by unique URLs pointing to Mimecast servers, allowing various checks to be performed after a user has clicked on one of the links. URL Protection, part of the Mimecast Targetted Threat Protection email security product, offers end users an increased level of protection against malicious URLs embbed in emails. A simple python script to decode URLs created by the Mimecast URL Protection feature.