Re: [External] [SECURITY] Flagging external emails and exceptions

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

Hi Beth,

We mark external messages from senders not in our SPF record with [External] in the subject line for employees.  We 
don't apply the tags for students since the main issue we were trying to solve were spoofed sender attacks which 
primarily targeted employees.

The only exception we are making is for Office365 notifications because at the time we were trying to push adoption.  
Even that has burned us a couple of times when scammers compromised other O365 tenants since Microsoft uses the same 
address for all notifications.

For the most part our strategy hasn't caused too many issues or complaints.  Two services that sometimes cause 
questions or concerns are e-mails from Qualtrics and from Instructure (Canvas).  We contemplated a different tag for 
trusted external service providers but that got complicated pretty quickly and we decided against it.

We do have a lot of anecdotal feedback that the [External] tag is helping people spot suspicious messages, and it seems 
to be a good compromise between doing nothing and some of the more invasive header warning options.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Beth Albertson
Sent: Wednesday, September 30, 2020 7:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Flagging external emails and exceptions

Colleagues,

We are thinking of flagging emails coming in external from our O365 tenant with either a red header at the top of each 
email or adding something like <EXTERNAL> to the subject line.  I wanted to ask other schools that are doing this 
whether they are adding exceptions for external organizations that are trusted.  For example, we use Jira, and I 
thought we could add this to an exception list.  Some have argued that maintaining such a list could be cumbersome and 
could potentially confuse users because some external emails would be flagged and others would not.  Does anyone have 
experience or thoughts on this matter?

Sincerely,

Beth Albertson, CISSP(r), PMP(r)
Director of Information Security
Western Washington University
beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7C9a3683dd652848518edf08d8659d17d5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637371072686033832&sdata=rCaY17zsXESmW%2BtD8sfgC8%2FgI0tyPUau1Yhcq6ljArI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community