DevToolKit

SafeLink & URL Protection Decoder

Decode Microsoft SafeLinks, Proofpoint, Barracuda, and Mimecast wrapped URLs with risk assessment and batch support.

Paste one URL per line for batch decoding. Supports Microsoft SafeLinks, Proofpoint V2/V3, Barracuda, Mimecast, and Google redirects.

Supported Services
Microsoft SafeLinksOutlook & Office 365 link protection*.safelinks.protection.outlook.com
Proofpoint V2URL Defense version 2 encodingurldefense.proofpoint.com/v2/
Proofpoint V3URL Defense version 3 with base64urldefense.com/v3/
BarracudaBarracuda link protection servicelinkprotect.cudasvc.com
MimecastMimecast URL protection (domain only)protect-*.mimecast.com
Google RedirectGoogle search result redirectsgoogle.com/url?q=
Cisco/IronPortCisco email security URL rewrite*.iphmx.com, *.trendmicro.com
Generic RedirectAny URL with url=, u=, or q= params?url=..., ?u=..., ?q=...
Was this tool helpful?

How to Use

When you receive an email through Microsoft 365, Proofpoint, or other email security gateways, links are often rewritten into long, unreadable URLs. This tool decodes those protected URLs back to their original destination so you can see where a link actually goes before clicking it.

  1. Paste the protected URL into the input area. Copy it directly from your email client — right-click the link and choose "Copy link address".
  2. The tool auto-detects which email security service wrapped the URL (SafeLinks, Proofpoint, Barracuda, Mimecast, etc.) and shows a color-coded service badge.
  3. View the decoded destination with a risk assessment badge. The tool checks for suspicious TLDs, IP-based URLs, typosquatting patterns, and HTTPS status.
  4. Copy the decoded URL or open it directly in a new tab using the "Open URL" button.
  5. Batch decode by pasting multiple URLs, one per line. Each URL is decoded independently with its own service detection and risk assessment.

All decoding happens locally in your browser. No URLs are sent to any server, making it safe to decode links containing sensitive tokens or internal company URLs.

About This Tool

Email link protection services rewrite URLs in outbound and inbound emails to route clicks through a security proxy. When a user clicks a rewritten link, the proxy checks the destination against threat intelligence databases in real-time before redirecting. This provides zero-day phishing protection even after an email has been delivered.

The most widely deployed services are Microsoft SafeLinks (part of Microsoft Defender for Office 365), Proofpoint URL Defense (used by enterprises and universities), Barracuda Link Protection, and Mimecast URL Protection. Each service uses a different encoding scheme:

Microsoft SafeLinks

SafeLinks wraps the original URL in a url query parameter on the safelinks.protection.outlook.com domain. Regional subdomains like nam02, eur01, or apc01 indicate the datacenter. Decoding is straightforward: extract the url parameter and run decodeURIComponent().

Proofpoint URL Defense

Proofpoint uses two encoding versions. V2 stores the URL in a u parameter with hyphens replacing percent signs and underscores replacing slashes. V3 embeds the URL in the path between __ delimiters, with asterisks as placeholders for characters stored separately in a base64-encoded suffix.

Other Services

Barracuda and Cisco/IronPort use standard query parameter encoding. Mimecast uses a token-based system where the original domain is stored in a domain parameter, though the full path may not be recoverable without the Mimecast API. This tool also handles Google search redirects and generic URL redirect patterns.

Why Use This Tool

Rewritten email links are frustrating to work with. Here are the most common reasons people need to decode them:

  • Phishing verification — Before clicking a link in a suspicious email, decode it to see the actual destination domain. The built-in risk assessment flags IP addresses, suspicious TLDs, and typosquatting patterns.
  • IT and security investigations — Security analysts processing phishing reports need to quickly extract original URLs from wrapped links to check them against threat intel feeds and blocklists.
  • Documentation and sharing — Rewritten URLs are ugly and fragile. When sharing links in documents, wikis, or tickets, paste the clean original URL instead of the wrapped version.
  • Debugging email deliverability — When testing email templates, decode the rewritten links to verify they point to the correct destinations before sending campaigns.
  • Batch processing — Extract original URLs from entire email bodies or log files by pasting multiple wrapped URLs at once. Each line is decoded independently.

Privacy

All URL decoding happens entirely in your browser using the native URL API. No URLs are transmitted to any server. This is critical because protected URLs often contain tracking tokens, session identifiers, and recipient email addresses in their parameters.

FAQ

What email security services are supported?
Microsoft SafeLinks, Proofpoint URL Defense (v2 and v3), Barracuda Link Protection, Mimecast, and Google search redirects.
Is my URL sent to a server?
No. All URL decoding happens locally in your browser using the native URL API. Your URLs are never transmitted.
Can I decode multiple URLs at once?
Yes. Paste multiple wrapped URLs, one per line. Each is decoded independently with service detection.
NavigateOpenEscClose