Educause Security Discussion mailing list archives
Re: [External]Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?
From: "McHugh, Susan" <S_McHugh () MWCC MASS EDU>
Date: Wed, 24 Oct 2018 15:50:49 +0000
Hi, I set this up with this article – https://www.tachytelic.net/2014/03/office-365-using-message-header-transport-rule-determine-email-alias-email-sent/ Here is a copy of MWCC’s rule [cid:image002.jpg@01D46B8F.CD4BA890] ____________________ Susan McHugh Chief Information Officer Mount Wachusett Community College s_mchugh () mwcc mass edu<mailto:s_mchugh () mwcc mass edu> 978-630-9174 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Sosnin, Josh Sent: Wednesday, October 24, 2018 11:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External]Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? As you can see below, we use a banner and “[EXT]” in the subject. This works well as an anchor for education (I have the numbers to prove it). In addition, you may want to explore additional text if the email is coming from an external source and includes those keywords (HR, payroll, direct deposit, bank account) or names of executives. If anyone needs details on how we do this with O365, feel free to reach out. Thanks, Josh -- Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | www.ellucian.com<http://www.ellucian.com/> CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "St-Jean, Daniel" <Daniel_St-Jean () BANFFCENTRE CA<mailto:Daniel_St-Jean () BANFFCENTRE CA>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, October 24, 2018 at 10:54 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? **External Email** Hi -, One thing we are looking at is prepending all external emails’ subject with “[External]: “. While this would not block the email, it would become a red flag if an email is spoofing the identify of an internal account. My understanding is that you can setup a rule on a specific Inbound Connector in Exchange and add a rule to check whether the Sender is authenticated or not. Regards, [cid:image001.jpg@01D46B75.A0131DA0] Daniel St-Jean Senior Systems Analyst, IT/S Banff Centre for Arts and Creativity 107 Tunnel Mountain Drive Box 1020, Banff, Alberta Canada T1L 1H5 Tel: 403.762.6263 banffcentre.ca<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.banffcentre.ca%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Cde8b2a95eaa34054c0fc08d639c09d38%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759896782030648&sdata=1PGLx%2FaabuzOMtrDzCdzrqSrW79%2Ff%2FXzbFc3IX%2Fsm9U%3D&reserved=0> Facebook<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FBanffCentre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Cde8b2a95eaa34054c0fc08d639c09d38%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759896782030648&sdata=cGb45ldzh6AwXKWGp58ccs%2Fn5owvWHDvORTt%2FOMQBoA%3D&reserved=0> | Twitter<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FBanffCentre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Cde8b2a95eaa34054c0fc08d639c09d38%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759896782030648&sdata=MSqACtcqQ6pa%2FLKdI3y0wixOXt9MCPh32C9nGPfvn0Y%3D&reserved=0> | Instagram<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Fthebanffcentre%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Cde8b2a95eaa34054c0fc08d639c09d38%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759896782030648&sdata=bqsExg0N29cabFQNwh%2B3BrRy09shYf%2Flp%2Bjc%2BiAtpWg%3D&reserved=0> | LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fbanff-centre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Cde8b2a95eaa34054c0fc08d639c09d38%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759896782030648&sdata=3Nn2bYovcefIjb2Jn6qJx7k3XRZ48CH8mBBr5EwmZXw%3D&reserved=0> Banff Centre for Arts and Creativity is located on the lands of Treaty 7 territory. We acknowledge the past, present, and future generations of Stoney Nakoda, Blackfoot, and Tsuut’ina Nations who help us steward this land, as well as honour and celebrate this place. This message has been sent by an employee of Banff Centre. If you have received this communication in error or do not wish to receive electronic communications from this individual in the future please respond by simply typing ‘unsubscribe’ in the subject line and returning to the sender. Subsequently you will not be contacted without reason. From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. LaPrad Sent: Wednesday, October 24, 2018 6:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Hello Colleagues, I am wondering what other universities are doing to block emails to users that have spoofed official people or offices on campus. Emails claiming to be from HR or Payroll, or the President. Do you have a way to 'guarantee' official communications so that end users can easily distinguish between the real and the fake? We have an Office 365 email environment and also have many third party organizations that send mail, for our, as our, domain. Any all thoughts are welcome Thank you for your time John LaPrad - CISSP, CIHE, GIAC/GMON Information Systems Security Manager Saginaw Valley State University 7400 Bay Rd. University Center, MI Phone: 989-964-7134 jrl () svsu edu<mailto:jrl () svsu edu>
Current thread:
- How do you block spoofed communications from HR, Payroll, the President...? John R. LaPrad (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Davis, Chris (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Laura Raderman (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? St-Jean, Daniel (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Sosnin, Josh (Oct 24)
- Re: [External]Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? McHugh, Susan (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Charles Curtis (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Sosnin, Josh (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Jason Todd (Oct 24)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Zsigalov, Deb (Nov 28)
- Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...? Sosnin, Josh (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Michael Young (Oct 24)
- <Possible follow-ups>
- Re: How do you block spoofed communications from HR, Payroll, the President...? Graves, Rich (Oct 24)
- Re: How do you block spoofed communications from HR, Payroll, the President...? Kevin Wilcox (Oct 24)