Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-url-qr-code-protection

URL and QR code protection

In URL and QR code protection, you can choose what happens to messages that contain malicious links or QR codes.

Note

If an email contains a link on the Internet Watch Foundation's criminal URL list, we're legally required to delete the email. We're also legally required not to display the link anywhere in Sophos Central, including Message History. See IWF: URL List.

We always delete these emails. We don't use the settings in your Email Security policies.

To expedite email processing and prevent delays, URL protection stops scanning a message when it encounters a large number of URLs. For security reasons, we don't publish the limit we use.

For enhanced security, a message with too many URLs gets quarantined and marked as Unscannable - Excessive URLs. This security measure helps prevent attackers from hiding malicious URLs among a large number of URLs in a message. Given the risk, the Un-scanned emails setting on the Email Security policy configuration and allowed senders can't bypass URL protection.

Sophos Email also scans QR codes found in the email body and in attachments, such as common file and image formats. If a QR code contains a URL, we extract it and apply the same detection logic and policy actions as we do for regular URLs. You can view the extracted URLs in the URL tab on the Message Details page under the Message History report. We check whether the URL or QR code links to a harmful or suspicious website. If it does, we take action on the message, such as quarantining or deleting it.

If you quarantine the message and then release it, it's delivered, and the URLs aren't rewritten.

URL and QR Code scan

If you turn on QR Code Scanning, Sophos Email scans messages for malicious URLs and QR codes that may lead to unsafe websites, malware, ransomware, or phishing sites.

You can choose how Sophos Email scans QR codes by selecting one of the following options:

  • Extract URLs and scan for potential threats (Recommended): Extracts any URLs from QR codes in images and attachments, then checks them for known threats or criminal content. If a threat is detected, the configured action is applied to the message.
  • Detect all emails with QR Codes: Applies your configured action to all messages that contain a QR code, even if the QR code is clean. The contents of the QR code aren't scanned or analyzed.

You can then choose what action to take on messages that contain malicious URLs or QR codes.

Select from the following options:

  • Quarantine (Recommended): The message is held in quarantine. You can release quarantined messages when you're sure they're safe.
  • Delete: The message is deleted immediately.

If you select Include in End User Quarantine, your users can check, release, or delete messages. See End User Quarantine.

If a quarantined message with "URL/QR Code" as the reason is released, the user receives a new email, with the original malicious email attached as a password-protected ZIP file. The new email contains the password to open the ZIP attachment.

Time of Click URL Protection

If you turn on Time of Click URL Protection, URLs contained within inbound messages are rewritten to point to Sophos Email Security instead of the original destination.

When you click the link, Sophos Email Security performs an SXL lookup, and if it's malicious, it's blocked. If the URL is clean, the action taken when you click the link depends on what you've specified in your policies. For example, if you've set medium risk websites as allowed, when the link is checked and classified as not malicious, the link takes you to the original link destination.

Note

URLs you add to the Time of Click allow list are never rewritten.

Restriction

Time of Click doesn't rewrite URLs in QR codes.

If you hover over a rewritten link you can see the destination domain name at the start of the rewritten URL, in the format d=domain.com. This means you can see where the link goes to.

Here's an example of a rewritten URL, with the domain highlighted after the Sophos server address.

Example rewritten URL.

Warning

Sophos Email can't re-evaluate a URL after another product has rewritten it.

You can select the action you want to take for websites with the following reputation levels:

  • High risk: Includes illegal sites, sites containing malware, and phishing sites.
  • Medium risk: Includes sites associated with spam and anonymizing proxies.
  • Unverified: The reputation of the website can't be verified.

You can't allow high-risk websites.

You can also control whether URLs are rewritten in plain text messages and within securely signed messages:

  • Plain text messages: Refers to emails with no HTML formatting. Without HTML formatting, the entire encoded URL shows in the email when URL rewriting is turned on. You can bypass URL rewriting in these messages by deselecting the Re-write URLs in plain text messages. option.

  • Securely signed messages: URL rewriting may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL rewriting in these messages by deselecting the Re-write URLs within securely signed messages. option.

    Warning

    Be careful if you choose not to modify securely signed messages, as those messages would lose protection. The URLs won't be rewritten and smart banners won't be applied to signed messages.

See URL allow list.

Warning

If you turn on Time of Click URL Protection and use a Google email server, you may see DMARC failures reported for inbound messages.

This might be because Google doesn't consistently process emails from IP addresses in its Gateway IPs list. To check your email settings and find out more, see Restrict delivery to Sophos IP addresses.