1

Since a few months, many organisations have urls in incoming mail rewritten to be redirected through a checking service (Outlook Safelinks, Proofoint, FireEye, Black Spider/Forcepoint). Because this makes links in text emails almost unreadable and because of archival considerations, I ‘unrewrite’ these before archiving the emails. This is fairly straightforward with most services. However, with Black Spider, I have no clue how to unencode it.

I (only) have the following plain and rewritten urls:

  • https://ac.erikquaeghebeur.name
  • http://hybrid-web.global.blackspider.com/urlwrap/?q=AXicDcm9DcIwEAbQT2ICFrk4gCmogAEossHhnHCCf8LZicSMdFS0bAKvfesVxjfw-QIanu2mp6ILRR6Cy6lqDuRyhLG7k5jzxdj9trUIuY7yDy_pyLFU0Z4jpQBf61QOTcOORIf7Y2a5ebnKrJQ4CoDuBfwAuCYmZA&Z

So the string AXicDcm9DcIwEAbQT2ICFrk4gCmogAEossHhnHCCf8LZicSMdFS0bAKvfesVxjfw-QIanu2mp6ILRR6Cy6lqDuRyhLG7k5jzxdj9trUIuY7yDy_pyLFU0Z4jpQBf61QOTcOORIf7Y2a5ebnKrJQ4CoDuBfwAuCYmZA&Z must be decoded.

What I tried is unencoding assuming base64url encoding, guessing the final &Z can be dropped, because it is some extra information added by the rewriting service. I tried it using an on-line decoder and it did not work, i.e., it returned non-ASCII characters.

  1. Does anyone know, or can anyone figure out which encoding is being used?
  2. Or, does anyone know whether it is not an encoding, but just some string (hash?) mapping to the url in Forcepoint's server?
schroeder
  • 123,438
  • 55
  • 284
  • 319
equaeghe
  • 111
  • 3
  • Does this answer your question? [How to determine what type of encoding/encryption has been used?](https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used) – multithr3at3d Jun 06 '20 at 22:48
  • @multithr3at3d: No, because the source (Black spider/Forcepoint) is known, there may be people that know, e.g., because they have documentation, what the situation is here. The context I provide makes it a different, more specific question for which a more specific answer should be possible. Note also my second question. – equaeghe Jun 07 '20 at 07:22
  • Your second question depends on the first.The first is answered by the duplicate question. If you want to know what's in the Black Spider documentation, please look up the documentation. – schroeder Jun 07 '20 at 07:29
  • @schroeder: In contrast to the suggested duplicate, there may not be encryption or hashing involved here at all. I did not manage to find documentation on Black Spider/Proofpoint's product. This may be due to a lack of Googling skills or it may just not be public. However, there may be contributors to this site which do have access to it. Also, any answer to this question is useful for others as well. – equaeghe Jun 07 '20 at 07:43
  • Ultimately, this is not a security question despite the thing generating the strings are a security tool. Please contact vendor support if the available documentation is not sufficient. – schroeder Jun 07 '20 at 08:21

0 Answers0