Block
Site Access
and
User Credential Submission
from the start for known-bad URL categories, including: malware,
command-and-control, copyright-infringement, extremism, phishing, ransomware,
dynamic-dns, hacking (but make exceptions for internal PEN testers), and
proxy-avoidance-and-anonymizers.