Mailprotector encourages sign-in via inbox authentication rather than traditional passwords. Inbox authentication is widely used and accepted for password resets and therefore makes sense as an authentication method for an email gateway. However, some email security solutions are beginning to use URL click-thrus to scan for malicious email content. The side-effect causes inbox authentication sign-in links to expire before reaching the user's mailbox. Exceptions must be configured on the URL click-thru scan to prevent user login problems.
The alert users see is "You are trying to use a sign in link that is expired or invalid."
Mailprotector provides two standard sign-in links.
- Message review notification: sent to a user when new messages in the quarantine need to be reviewed. The default permission for review notification sign-in links allows for three click-thrus. The link expires after 72 hours as well.
- Sign-in link request: sent to a user when attempting to login to the Console from a web browser or requested after clicking on an expired message review notification link. Requested sign-in links expire after a single click or 15 minutes.
Users typically experience login problems when attempting to use the requested sign-in link.
Users with Microsoft Exchange Online mailboxes using certain Microsoft 365 subscriptions include a security feature called Safe Links. Microsoft has been deploying Safe Links automatically and by default with several current subscriptions. The default policy must be modified to create exceptions for Mailprotector sign-in links.
- Navigate to the Microsoft 365 Defender Safe Links policy page. Find the Email & collaboration menu and click on Policies & rules > Threat policies > Preset security policies
- On the Preset security policies page, you will see three policy names.
- Built-in protection must stay on.
- Standard protection is turned on.
- Ensure the Strict protection is turned off.
- Click on the Manage protection settings link under the Standard protection policy.
- On the Apply standard protection dialog, click the Next button leaving settings as they are until you reach the Trusted senders and domains section.
- Add the domain emailservice.io to the Add trusted email addresses and domains to not flag as impersonation and click the Next button.
- Click the Confirm button on the review page to save the changes to the standard policy.
NOTE: Microsoft continues to change and update the admin centers within Microsoft 365. If the configuration steps above do not match what you see, please contact Microsoft support to learn how to create an exception for emailservice.io with Safe Links.
Other URL Protections
Other URL protections may cause a similar problem with Mailprotector sign-in links. Please identify other solutions in the security stack that may be clicking through a link before a user and configure the exception.
Some of the URL scanning features that can cause expired or invalid login links:
- Endpoint anti-virus with URL protection
- Microsoft Outlook security plug-in software
- Next-generation firewalls with email URL scanning
- Other third-party secure email gateways with URL scanning