Jul 02, 2026 · 8 min read
Email Link Wrapping: How URL Rewriting Tracks You
Hover over almost any link in a corporate inbox and you won't see the real destination. You'll see a redirect through someone else's server, logging the click before you ever get there.
Open a corporate email and hover over a link before clicking it. There's a good chance the address in your status bar isn't the destination at all. It's something like urldefense.proofpoint.com/v2/url?u=... or nam02.safelinks.protection.outlook.com/?url=.... Somewhere between the sender and your inbox, a gateway intercepted every hyperlink in the message and swapped it for a redirect through its own infrastructure. That's link wrapping, and it now touches a majority of business email whether you asked for it or not.
Key Takeaways
- Proofpoint URL Defense, Microsoft Defender Safe Links, Mimecast URL Protect, and Barracuda Link Protect all rewrite inbound links into redirect URLs that route through the vendor's own domain before reaching the real destination.
- The rewrite serves two distinct purposes that get conflated: real time security scanning at the moment of click, and click analytics for marketing platforms that log every link a recipient opens.
- In June and July 2025, Cloudflare's Email Security team documented attackers abusing Proofpoint and Intermedia link wrapping to disguise phishing payloads behind trusted security domains, a technique security researchers now call multi tiered redirect abuse.
- Wrapped links can break link previews, obscure the true destination from the recipient, and create a permanent log of exactly which links you opened, when, and from what IP address.
- You can usually decode a wrapped URL manually or with a browser extension to see the real destination before you click.
What Is Email Link Wrapping?
Email link wrapping is the practice of replacing every hyperlink in a message with a redirect URL that points to the rewriting service instead of the original destination. The mechanism is the same whether the rewriter is a security gateway or a marketing platform: a mail filter parses the HTML and plain text body, finds every href, and substitutes it with a new URL that encodes the original address as a parameter or token.
A link to https://example.com/invoice processed by Proofpoint becomes something like https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_invoice&d=.... Microsoft's documentation for Safe Links describes the same pattern: the original link is wrapped in a Microsoft security URL, and evaluated in real time when clicked. Mimecast does it too, rewriting links to a domain such as url.us.m.mimecastprotect.com, and Barracuda's Link Protect follows the same design. None of this requires action from the sender or recipient. It happens transparently in the mail flow, which is why most people never notice it's there.
How Does URL Rewriting Track Your Clicks?
URL rewriting tracks your clicks by forcing every link through a server the rewriter controls before you reach the real page. Click a wrapped link and your browser first hits the rewriter's domain, a request that carries your IP address, timestamp, user agent, and often a unique token tied to your copy of the email. The rewriter logs that request, then fires an HTTP 302 redirect on to the actual destination. To you it takes a fraction of a second and looks like any other link. To the rewriter, it's now a permanent record of exactly which recipient clicked what, when, from where.
That mechanism serves two genuinely different purposes, and conflating them is the biggest source of confusion about link wrapping.
Security Scanning
Gateways like Proofpoint, Microsoft Defender, Mimecast, and Barracuda wrap links so they can perform what the industry calls time of click analysis. A link can be benign when the email is delivered and turn malicious hours or days later if an attacker swaps the content behind it. By routing every click through their own infrastructure, these vendors can check the destination against current threat intelligence and sandbox unfamiliar pages at the moment someone actually opens the link, not just at delivery time.
Click Analytics
Email marketing platforms wrap links for a different reason entirely: to measure engagement. Every wrapped link becomes a data point in a campaign dashboard showing which recipients clicked, how many times, and often which specific button or article link inside the same email performed best. There's no security scanning involved, just attribution. This is the same underlying mechanism covered in our guide on the difference between email open tracking and click tracking, and it's worth reading alongside this one because the two tracking methods often run side by side in the same message.
How Do You Spot a Wrapped Link?
You spot a wrapped link by hovering over it before clicking and checking whether the domain in your status bar matches the domain the email claims to link to. A few patterns to watch for:
- Proofpoint: URLs starting with
urldefense.comorurldefense.proofpoint.com/v2/url?, with the original address embedded after au=parameter. - Microsoft Defender Safe Links: URLs containing
safelinks.protection.outlook.comwith the real link after a?url=parameter. - Mimecast: Domains like
url.us.m.mimecastprotect.comor olderprotect-us.mimecast.comvariants. - Marketing platforms: Tracking subdomains tied to the sending platform's link tracking infrastructure, often a random looking string of characters with no readable destination at all.
Most gateways also offer a manual decoder. Proofpoint documents its own URL decoder in the Threat Insight Dashboard, and third party sites mirror the same function, letting you paste a wrapped link and see the original destination without clicking it. That's a reasonable habit for any link that looks unusual, arrives unexpectedly, or comes from a thread you weren't part of.
Can Attackers Abuse Link Wrapping?
Yes, and it's become one of the more effective phishing techniques of the past year. Between June and July 2025, Cloudflare's Email Security team tracked a cluster of campaigns abusing Proofpoint and Intermedia link wrapping to conceal phishing payloads. Source: Cloudflare threat intelligence report. In one documented case, a compromised account at an industrial supplier was used to inject malicious links into a legitimate B2B email thread, and those links were wrapped by the victim organization's own Proofpoint deployment, arriving in downstream recipients' inboxes disguised as trusted, security vetted URLs.
The technique works because people, and many automated scanners, associate the wrapper domain with safety rather than the underlying link. A urldefense.proofpoint.com or safelinks.protection.outlook.com prefix reads as reassuring, even though it only proves the sender's gateway processed the message, not that the destination is safe. Researchers have also described "multi-tiered redirect abuse," where attackers chain a URL shortener behind a wrapped link so the destination changes after the scan already approved it. CSO Online and SC World both covered the escalation of this technique through mid-2026, and IronScales documented a separate case where a compromised supplier's Proofpoint-wrapped links were used in a thread hijack against a downstream partner. Sources: CSO Online, IronScales analysis. There's a second, quieter issue: open redirects. If a rewriter's endpoint doesn't strictly validate the destination parameter, an attacker can construct a URL that passes through the trusted wrapper domain but lands on an arbitrary site, a known vulnerability class in redirect services generally.
Why Email Users Should Care
Link wrapping changes what your inbox reveals about you, because the tracking triggers only at the moment you click. If you work at a company running Proofpoint or Defender, every link you open in your work inbox generates a log entry on a server your employer's security team controls, tied to your account and timestamp. That's a reasonable trade for phishing protection, but worth knowing about, especially if you click personal links through a work managed account.
On the marketing side, the same mechanism powers per link click analytics in newsletters and promotional email. Combined with tracking pixels that log when you open a message, wrapped links let senders build a fairly complete picture of your reading habits: which emails you open, how long after delivery, and which links inside them you follow. If you've ever wondered whether it's safe to click unsubscribe, the same wrapped link mechanism is usually behind that link too. Gblock focuses on stripping tracking pixels from Gmail, and while it doesn't decode security gateway redirects, blocking the open tracking half of this equation meaningfully reduces what senders can infer about you.
What Can You Actually Do About It?
A few concrete defenses, roughly in order of effort:
- Hover before you click. Check the status bar for the real wrapper domain and compare it against the sender's claimed link text. A mismatch is the single most useful signal you have.
- Decode suspicious links before opening them. If a wrapped URL looks unusually long or arrives from a thread you weren't part of, decode it first rather than trusting the scanner caught everything.
- Don't treat the wrapper domain as a safety signal. It means a gateway processed the message, not that the destination was verified safe indefinitely.
- Ask IT about exclusion lists. Proofpoint and Microsoft both let administrators exclude trusted domains from rewriting, cutting noise without weakening protection elsewhere.
- Shrink what marketing links can learn about you. Reading email in plain text, avoiding link prefetching, and using a Gmail tracking blocker all reduce the profile senders can build from your inbox behavior.
Link wrapping isn't going away. Time of click scanning genuinely stops attacks that delivery time scanning misses, but the same mechanism logs every legitimate click too, and attackers have shown in 2025 and 2026 that they can turn the trusted wrapper domain into cover for phishing. Knowing how the rewrite works, and taking the ten seconds to hover and check, is now a basic part of reading email safely.