The URL Rewriting is one of three mechanisms comprising Hornetsecurity Advanced Threat Protection (ATP).

The URL Rewriting is responsible for testing URL's in incoming emails for any harmful content. To do so, the mechanism will rewrite any identifiable URLs in incoming emails in such a manner, that any URL opened from the email will be rerouted through our ATP filter, which acts as a web proxy and scans the content of the website before forwarding the user to the webpage.


Due to rewriting the URL, the recipient will notice some different behavior:

  • The URL from within the email will change

The mechanism will rewrite the URL in such a manner that the ATP filter will act as a web proxy. The structure of the URL will be: + a generic ending

  • When opening the website through the URL in the email, the recipient will see the Hornetsecurity ATP banner.

If you want to convert the cryptic URL back to its original state, you can use the URL Decoder.


In the following circumstances the URL Rewriting won’t be able to work as expected:

  • Signed/encrypted emails: Rewriting the URL would harm the email integrity
  • Using the URL Decoder: If the URL is not opened using the generic ATP URL, the ATP service will not be able to act as a web proxy

You should also pay attention to sub domains. If wanted, they need to be added, too.





The URL Rewriting as well as the Target Fraud Forensics Filter will need to be enabled through our customer support. Enabling the ATP filter through the Control Panel will not be sufficient.

To minimize the risk of False Positives, we recommend providing our customer support with a list of valid domains, so those can be added to a whitelist. Such domains could be – for example – any internal domains, not running the risk containing harmful content.