Re: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?

[Jason Todd <jtodd () WESTERNU EDU>]

We are actively working on this too. What we are currently doing is adding a banner to certain protected accounts. For 
example if the “from” header contains our president’s name then we put in a banner. We are bouncing around the idea of 
adding the banner to all external emails. I have a concern that it will cause some confusion with our community. 
Especially with email from cloud services that are official but don’t originate from our mail system.

-Jason

Jason Todd
Network Security Officer
Western University of Health Sciences

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Sosnin, Josh
Sent: Wednesday, October 24, 2018 9:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the 
President...?

Charles,

That was a concern here as well.  If you scroll below, you should see the message body notice one single time.  Same 
with the subject line.  It’s a tradeoff that could be taken advantage of, but everything is a balancing act.

--
Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | www.ellucian.com<http://www.ellucian.com/>
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Charles Curtis <ccurtis () AUSTINCOLLEGE EDU<mailto:ccurtis () AUSTINCOLLEGE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Wednesday, October 24, 2018 at 11:57 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the 
President...?

We tried the EXT approach several years back using Outlook, but it was withdrawn when Recruiting and Fund-Raising email 
conversations ended up with 7 EXT’s (or more) in the subject line as messages got replied to and we got negative 
feedback.   Have you found a way to avoid the multiple instances of EXT in your messages involved in a continuing 
thread?

Our campaign of periodic reminders and examples of spoofed communications has helped to keep down the incidents of 
people responding to them, and we have also targeted specific departments with retraining on procedures involving those 
officials who are most likely to be spoofed.

Charles

Charles Curtis
Executive Director of Information Technology
Austin College
900 North Grand Avenue
Sherman, TX 75090-4400
Phone: 903.813.2088
www.austincollege.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790616167&sdata=hRtCPrcS1373jNUhRgjCSJL1ikuIlFloYqGYsD7FNfk%3D&reserved=0>

[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Sosnin, Josh
Sent: Wednesday, October 24, 2018 10:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the 
President...?

As you can see below, we use a banner and “[EXT]” in the subject.  This works well as an anchor for education (I have 
the numbers to prove it).  In addition, you may want to explore additional text if the email is coming from an external 
source and includes those keywords (HR, payroll, direct deposit, bank account) or names of executives.  If anyone needs 
details on how we do this with O365, feel free to reach out.

Thanks,

Josh

--
Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | 
www.ellucian.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ellucian.com%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790626163&sdata=YnftlOn0ezGmTmbv%2BsDjSaUaZCU1Nt4I2%2BxoCQH%2F2xc%3D&reserved=0>
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "St-Jean, Daniel" <Daniel_St-Jean () BANFFCENTRE CA<mailto:Daniel_St-Jean () BANFFCENTRE 
CA>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Wednesday, October 24, 2018 at 10:54 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [EXT]: Re: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?

**External Email**
Hi -,

One thing we are looking at is prepending all external emails’ subject with “[External]: “. While this would not block 
the email, it would become a red flag if an email is spoofing the identify of an internal account.

My understanding is that you can setup a rule on a specific Inbound Connector in Exchange and add a rule to check 
whether the Sender is authenticated or not.

Regards,

[cid:image001.jpg@01D46B75.A0131DA0]

Daniel St-Jean
Senior Systems Analyst, IT/S

Banff Centre for Arts and Creativity
107 Tunnel Mountain Drive
Box 1020, Banff, Alberta
Canada T1L 1H5
Tel: 403.762.6263
banffcentre.ca<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.banffcentre.ca%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790626163&sdata=Q9x0qpcUmJ5nnbWD46NP4gv0h4eyGrkf7WFCgy3nLC0%3D&reserved=0>
Facebook<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FBanffCentre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790636167&sdata=BOnK0eh29RewQV%2BX3VmGQE%2FmoO%2BJIaT6PSHdGLuUo5A%3D&reserved=0>
 | 
Twitter<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FBanffCentre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790636167&sdata=JXDaxOEZdzcNBToUipzPbpuKUpaOnUoVBi58LPmj4aI%3D&reserved=0>
 | 
Instagram<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Fthebanffcentre%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790646177&sdata=8pxUSEePJ9Iwu1tGU3fCaJDaVxkmF0fQE8qWlL2S2Pk%3D&reserved=0>
 | 
LinkedIn<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fbanff-centre&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7C2231981419a14586111c08d639c9764c%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636759934790656182&sdata=4I2SwQ8MueP8BfHd1ZPBrJhnzJgMK%2BIqbQW5K9lrFtg%3D&reserved=0>

Banff Centre for Arts and Creativity is located on the lands of Treaty 7 territory. We acknowledge the past, present, 
and future
generations of Stoney Nakoda, Blackfoot, and Tsuut’ina Nations who help us steward this land, as well as honour and 
celebrate
this place.

This message has been sent by an employee of Banff Centre. If you have received this communication in error or do not 
wish to receive
electronic communications from this individual in the future please respond by simply typing ‘unsubscribe’ in the 
subject line and returning to the sender. Subsequently you will not be contacted without reason.




From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. 
LaPrad
Sent: Wednesday, October 24, 2018 6:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] How do you block spoofed communications from HR, Payroll, the President...?

Hello Colleagues, I am wondering what other universities are doing to block emails to users that have spoofed official 
people or offices on campus. Emails claiming to be from HR or Payroll, or the President.  Do you have a way to 
'guarantee' official communications so that end users can easily distinguish between the real and the fake?
We have an Office 365 email environment and also have many third party organizations that send mail, for our, as our, 
domain.
Any all thoughts are welcome

Thank you for your time
John LaPrad - CISSP, CIHE, GIAC/GMON
Information Systems Security Manager
Saginaw Valley State University
7400 Bay Rd. University Center, MI
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>