Re: How do you block spoofed communications from HR, Payroll, the President...?

[Michael Young <Michael.Young () RIT EDU>]

We use a compliance policy that matches selected names or email addresses in the From field of messages unless they 
originate from expected sources, including personal accounts for those individuals.  It's increased our catch rate for 
these spoofing phishes.

Michael Young
Sr. Infrastructure Engineer
Information Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-6031 | Michael.Young () rit edu<mailto:Michael.Young () rit edu>
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any 
copies of this information.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of St-Jean, Daniel
Sent: Wednesday, October 24, 2018 10:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?

Hi -,

One thing we are looking at is prepending all external emails' subject with "[External]: ". While this would not block 
the email, it would become a red flag if an email is spoofing the identify of an internal account.

My understanding is that you can setup a rule on a specific Inbound Connector in Exchange and add a rule to check 
whether the Sender is authenticated or not.

Regards,

[cid:image001.jpg@01D46B8E.82BBC9A0]

Daniel St-Jean
Senior Systems Analyst, IT/S

Banff Centre for Arts and Creativity
107 Tunnel Mountain Drive
Box 1020, Banff, Alberta
Canada T1L 1H5
Tel: 403.762.6263
banffcentre.ca<https://www.banffcentre.ca/>
Facebook<https://www.facebook.com/BanffCentre> | Twitter<https://twitter.com/BanffCentre> | 
Instagram<https://www.instagram.com/thebanffcentre/> | LinkedIn<https://www.linkedin.com/company/banff-centre>

Banff Centre for Arts and Creativity is located on the lands of Treaty 7 territory. We acknowledge the past, present, 
and future
generations of Stoney Nakoda, Blackfoot, and Tsuut'ina Nations who help us steward this land, as well as honour and 
celebrate
this place.

This message has been sent by an employee of Banff Centre. If you have received this communication in error or do not 
wish to receive
electronic communications from this individual in the future please respond by simply typing 'unsubscribe' in the 
subject line and returning to the sender. Subsequently you will not be contacted without reason.




From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. 
LaPrad
Sent: Wednesday, October 24, 2018 6:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?

Hello Colleagues, I am wondering what other universities are doing to block emails to users that have spoofed official 
people or offices on campus. Emails claiming to be from HR or Payroll, or the President.  Do you have a way to 
'guarantee' official communications so that end users can easily distinguish between the real and the fake?
We have an Office 365 email environment and also have many third party organizations that send mail, for our, as our, 
domain.
Any all thoughts are welcome

Thank you for your time
John LaPrad - CISSP, CIHE, GIAC/GMON
Information Systems Security Manager
Saginaw Valley State University
7400 Bay Rd. University Center, MI
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>