Educause Security Discussion mailing list archives
Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?
From: "Zsigalov, Deb" <dzsigalov () TNTECH EDU>
Date: Wed, 28 Nov 2018 20:08:15 +0000
I realize that this thread is from last month but Josh if you are willing to share how you are accomplishing the banner in O365 It would be greatly appreciated! You can contact me directly via the email in my signature. Many thanks! Deb Deb Zsigalov, CISSP, CISA, CRISC Chief Information Security Officer Information Security CH216A Box 5071 1010 N. Peachtree Ave Cookeville, TN 38505 P 931-372-3913 E dzsigalov () tntech edu<mailto:dzsigalov () tntech edu> [Tennessee Tech Logo]<https://www.tntech.edu/> [TTU Facebook] <https://www.facebook.com/tennesseetech/> [TTU Twitter] <https://twitter.com/tennesseetech> [TTU Instagram] <https://www.instagram.com/tntechuniversity/> [TTU Youtube] <https://www.youtube.com/user/ttunews> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Sosnin, Josh Sent: Wednesday, October 24, 2018 11:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Charles, That was a concern here as well. If you scroll below, you should see the message body notice one single time. Same with the subject line. It’s a tradeoff that could be taken advantage of, but everything is a balancing act. -- Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | www.ellucian.com<http://www.ellucian.com/> CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Charles Curtis <ccurtis () AUSTINCOLLEGE EDU<mailto:ccurtis () AUSTINCOLLEGE EDU>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, October 24, 2018 at 11:57 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? We tried the EXT approach several years back using Outlook, but it was withdrawn when Recruiting and Fund-Raising email conversations ended up with 7 EXT’s (or more) in the subject line as messages got replied to and we got negative feedback. Have you found a way to avoid the multiple instances of EXT in your messages involved in a continuing thread? Our campaign of periodic reminders and examples of spoofed communications has helped to keep down the incidents of people responding to them, and we have also targeted specific departments with retraining on procedures involving those officials who are most likely to be spoofed. Charles Charles Curtis Executive Director of Information Technology Austin College 900 North Grand Avenue Sherman, TX 75090-4400 Phone: 903.813.2088 www.austincollege.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790616167&sdata=hRtCPrcS1373jNUhRgjCSJL1ikuIlFloYqGYsD7FNfk%3D&reserved=0> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Sosnin, Josh Sent: Wednesday, October 24, 2018 10:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? As you can see below, we use a banner and “[EXT]” in the subject. This works well as an anchor for education (I have the numbers to prove it). In addition, you may want to explore additional text if the email is coming from an external source and includes those keywords (HR, payroll, direct deposit, bank account) or names of executives. If anyone needs details on how we do this with O365, feel free to reach out. Thanks, Josh -- Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | www.ellucian.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ellucian.com%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790626163&sdata=YnftlOn0ezGmTmbv%2BsDjSaUaZCU1Nt4I2%2BxoCQH%2F2xc%3D&reserved=0> CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "St-Jean, Daniel" <Daniel_St-Jean () BANFFCENTRE CA<mailto:Daniel_St-Jean () BANFFCENTRE CA>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, October 24, 2018 at 10:54 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? **External Email** Hi -, One thing we are looking at is prepending all external emails’ subject with “[External]: “. While this would not block the email, it would become a red flag if an email is spoofing the identify of an internal account. My understanding is that you can setup a rule on a specific Inbound Connector in Exchange and add a rule to check whether the Sender is authenticated or not. Regards, [cid:image001.jpg@01D46B75.A0131DA0] Daniel St-Jean Senior Systems Analyst, IT/S Banff Centre for Arts and Creativity 107 Tunnel Mountain Drive Box 1020, Banff, Alberta Canada T1L 1H5 Tel: 403.762.6263 banffcentre.ca<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.banffcentre.ca%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790626163&sdata=Q9x0qpcUmJ5nnbWD46NP4gv0h4eyGrkf7WFCgy3nLC0%3D&reserved=0> Facebook<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FBanffCentre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790636167&sdata=BOnK0eh29RewQV%2BX3VmGQE%2FmoO%2BJIaT6PSHdGLuUo5A%3D&reserved=0> | Twitter<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FBanffCentre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790636167&sdata=JXDaxOEZdzcNBToUipzPbpuKUpaOnUoVBi58LPmj4aI%3D&reserved=0> | Instagram<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Fthebanffcentre%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790646177&sdata=8pxUSEePJ9Iwu1tGU3fCaJDaVxkmF0fQE8qWlL2S2Pk%3D&reserved=0> | LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fbanff-centre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790656182&sdata=4I2SwQ8MueP8BfHd1ZPBrJhnzJgMK%2BIqbQW5K9lrFtg%3D&reserved=0> Banff Centre for Arts and Creativity is located on the lands of Treaty 7 territory. We acknowledge the past, present, and future generations of Stoney Nakoda, Blackfoot, and Tsuut’ina Nations who help us steward this land, as well as honour and celebrate this place. This message has been sent by an employee of Banff Centre. If you have received this communication in error or do not wish to receive electronic communications from this individual in the future please respond by simply typing ‘unsubscribe’ in the subject line and returning to the sender. Subsequently you will not be contacted without reason. From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. LaPrad Sent: Wednesday, October 24, 2018 6:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Hello Colleagues, I am wondering what other universities are doing to block emails to users that have spoofed official people or offices on campus. Emails claiming to be from HR or Payroll, or the President. Do you have a way to 'guarantee' official communications so that end users can easily distinguish between the real and the fake? We have an Office 365 email environment and also have many third party organizations that send mail, for our, as our, domain. Any all thoughts are welcome Thank you for your time John LaPrad - CISSP, CIHE, GIAC/GMON Information Systems Security Manager Saginaw Valley State University 7400 Bay Rd. University Center, MI Phone: 989-964-7134 jrl () svsu edu<mailto:jrl () svsu edu>
Current thread:
- How do you block spoofed communications from HR, Payroll, the President...? John R. LaPrad (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Davis, Chris (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Laura Raderman (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? St-Jean, Daniel (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Sosnin, Josh (Oct 24)
- Re: [External]Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? McHugh, Susan (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Charles Curtis (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Sosnin, Josh (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Jason Todd (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Zsigalov, Deb (Nov 28)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Sosnin, Josh (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Michael Young (Oct 24)
- <Possible follow-ups>
- Re: How do you block spoofed communications from HR, Payroll, the President...? Graves, Rich (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Kevin Wilcox (Oct 24)