Re: [External] Re: [SECURITY] Transport rule to put a header on external email

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

Our path is almost exactly the same.  We've settled on just [External] in the subject line after trying a few other 
variations.  We've enabled the rule for approximately 600 pilot users so far, and plan to enable the rule campus-wide 
soon.  We've had very positive feedback since settling on just the subject line insertion.

We're also whitelisting some highly trusted domains.  Unfortunately one of them is no-reply[at]sharepointonline[dot]com 
which we have since seen as a phishing attack vector from compromised accounts in other tenants.  We're working with 
Microsoft to find a way to identify (and possibly filter) SharePoint notifications as internal vs. external to our 
tenant but haven't had much luck so far.

FWIW, we are also piloting data loss prevention rules with the same pilot group to prevent unencrypted transmission of 
highly sensitivity data.  That is also going fairly well though it hits on some false positives.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Erik D Evans
Sent: Thursday, May 9, 2019 12:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] Re: [SECURITY] Transport rule to put a header on external email

We piloted prepending [EXTERNAL] to the subject, as well as variations of warnings either prepended or appended to the 
body of messages.  Ultimately, we ended up only doing the subject prepend due to feedback we received during the pilot. 
 In the beginning of April we implemented this for all users.  Yes, we are whitelisting all 3rd parties that send on 
our behalf.  After quite a bit of concern from faculty prior to implementation we have received very few complaints 
post implementation.  Still monitoring how this is impacting compromises but we have definitely noticed an increase in 
awareness since implementing this.



_______________________
Erik Evans
Manager of Information Security
Information Technology Services
Bowling Green State University
evanse () bgsu edu<mailto:evanse () bgsu edu>
http://www.bgsu.edu/infosec<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bgsu.edu%2Finfosec&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C10d734e3d3664a7fc65908d6d4a4c548%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636930201553062602&sdata=c%2Fh5WtfSRc2qnv45xOBZPO0OcdPaJSjOrrd9gm1jQ04%3D&reserved=0>

This e-mail, including any attachments, may contain information that is protected by law as privileged and 
confidential, and is transmitted for the sole use of the intended recipient.  If you are not the intended recipient, 
you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained 
herein is strictly prohibited.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Mandi Witkovsky
Sent: Tuesday, May 7, 2019 9:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] [SECURITY] Transport rule to put a header on external email

For those who have a rule set up to add a header to incoming external email, have you seen a decrease in security 
events, or a corresponding increase in awareness?  Did you whitelist any 3rd parties that send on your behalf so that 
the header doesn't appear?  Have you seen any pushback from people?  Thoughts on adding a header vs prepending 
"EXTERNAL" or some such in the subject line?

We're looking into adding this, and I wondered what experience you all have had.

Thanks,
mandi