Proofpoint_url_defense Not Decoding correctly

I can, but I’m hesitant to do that in the plugin…the decode plugin is doing what it’s supposed to do. I’d rather give you a pystep before or after the plugin that does that to clean up the URLs. In programming parlance it’s a question of overloading responsibilities in the plugin (I don’t want the plugin to do things it’s not normally responsible for doing).

Check this out…I know Outlook (when editing email) uses some of the Word components…is this your problem by chance? Looks like this might be a Microsoft thing.

I’ll just do a pystep after to clean it up.
As far as MS stripping it that could be the case, but ironically it isn’t doing it to the begging two, I think ProofPoint is encoding it that way because it accounts for it in their API call. In my ExtractIT loop I pass the same variable to the ProofPoint action and a REST action to their API, the ProodPoint action returns one slash when the REST call returns two. If MS is stripping it, then this will always be the case because users are forwarding the message to the phishing mailbox so it will always be opened by Outlook first.