Password Reset Loop

Whitelistiing in ATP Safelink and other email security tools

Written by Peter Akeley
Updated over a week ago


Spearphishing emails with dangerous links are legitimate concerns for many organizations including ThreatSwitch and its customers. Many IT departments deploy URL rewriting software to identify and "quarantine" potentially dangerous URLs, but sometimes the rules behind these security suites are overly aggressive and break otherwise safe and important URLs such as those required for password reset flows.

ThreatSwitch Password Reset and URL Rewriting

If the links included in ThreatSwitch's password reset emails are modified in any way, it can cause the user to be stuck in a "loop" where they are unable to successfully complete the reset process.

When conducting a password reset, the URL included in the email should be in the following format:

Any deviation from the password reset format will cause a password loop. Companies using email security tools that adjust links will need to whitelist ThreatSwitch.

Outlook ATP Safelinks

If using Outlook ATP Safelinks, policies need to be updated in order for links to come through without modification. If password reset emails are being modified by Safelinks, the URL string will be preceded by:

IT Teams will need to add a whitelist policy to their ATP Safelinks for the domain: Please see the relevant 365 support article for more information.

It is recommended to use a generic wildcard format around to ensure that all ThreatSwitch links function.

Mimecast URL Protect

Mimecast's URL protect rewrites certain URLs which can send users into a password reset link. A Mimecast URL policy needs to be added whitelisting Threatwitch.

General Troubleshooting

If you have encountered a password reset loop and have remedied it but are still having issues, or are generally having difficulties with password resets read below.

Password reset security considerations to know:

  1. Password reset URLs contained in ThreatSwitch's password reset emails expire after 1 hour.

  2. Password reset urls are "one time use". If a url was used previously, even in an unsuccessful password reset attempt, a user will need to initiate another password reset flow from the password reset page.

  3. Cookies must be enabled for the domain otherwise the password confirmation process cannot proceed and will result in an error message.

Did this answer your question?