Have you ever noticed that certain emails include a button that directs you to a specific webpage? Additionally, there’s often a small disclaimer at the bottom advising recipients to manually copy and paste the URL into their web browser if the button fails to function.
What is the need for this additional disclaimer, although buttons work fine? 🤔
Surprisingly, certain email service providers, including Outlook, employ a robust security feature known as Advanced Threat Protection (ATP). This feature meticulously scrutinizes links and attachments within emails. However, what’s intriguing is that ATP selectively targets specific portions of the links — specifically those with large characters. In essence, it acts as a vigilant gatekeeper, ensuring that potentially harmful elements are thoroughly examined before granting access to recipients.
https://example.com/:id/:id?token={token_value}For example, in the above link after the mail is received to the outlook there might be chance that your link would change causing invalid link error in your application although according to you everything should be working fine. Have a great time debugging this issue 🙂.
What all email providers might cause the same issue?
Our team faced a puzzling issue that took nearly six hours to resolve. We had sent out hundreds of emails with similar links. Most of these links worked fine across various email providers, except for one common factor: the broken links occurred exclusively within the Outlook office suite in the European region. Other email providers didn’t exhibit any issues — at least not among the links accessed by different users. 🕵️♂️
How to tackle email tampering issue?
In our situation, we weren’t solely reliant on the token; we also had unique IDs that could accomplish the task. Ultimately, we decided to shorten our URL and remove the token. However, if you prefer to keep the token, consider including a brief disclaimer message alongside the link. This way, users have the option to access the raw link directly. 🌐🔗
In case you have already shared links with tokens and now the links are failing then, in that case you can observe a common pattern in which the links are tampered. Like in our case all the numbers were shifted 3 values ahead like 1 changed to 4, 4 changed to 7, 8 changed to 1 and likewise there were changes. All alphabets from a-z except ‘f’ were changed with +1 in ASCII value and f changed to ` you might observe and came to conclusion of any similar changes in your token.
Note: There might be other email providers in which there might be similar errors, and in not all outlook email providers we faced this issue, these were in only.
Our debugging journey.
Our team discovered this issue through zipy sessions. Initially, our links were failing, prompting us to thoroughly review our code. After extensive research on Google and Stack Overflow, we identified email link tampering as the culprit. Unfortunately, by the time we pinpointed the issue, hundreds of emails had already been sent. We initially shifted the token from the query to parameters, but session failures persisted. Eventually, we noticed a pattern in token changes and decided to remove the token altogether. Now, everything works flawlessly. 🌟🔍🔧
