Educause Security Discussion mailing list archives

Re: URL re-writing in emails

From: Beth Albertson <albertb3 () WWU EDU>
Date: Thu, 21 Jan 2021 01:04:56 +0000

We are using the Microsoft Safe Links and have not had many problems.  We disabled it for a few users with disabilities 
that use screen readers.  We do get some very well crafted phishing/impersonation emails where the sender impersonates 
someone typically in a more senior position (director, dean, etc.) and asks the recipient to download a document from 
Google Drive or Dropbox that contains a malicious payload.  Safe Links catches many but not all of these.

Sincerely,

Beth Albertson, CISSP(r), PMP(r)
Director of Information Security
Western Washington University
beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>
(360) 650-4472

Did you know you can opt-in to Multi-Factor Authentication (MFA) now?  Visit the ATUS 
website<https://atus.wwu.edu/kb/multi-factor-authentication-mfa-wwu-universal-accounts> and sign 
up<https://forms.office.com/Pages/ResponsePage.aspx?id=DBRG3G_i70OwrgDyV_R4_xVgs5jddepDnFeGAhuZ6HxUOUpMT1ZSTjBTUzVJQ0FEOUE5NE5HSjcxMy4u>
 now!

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bole, Jim A
Sent: Wednesday, January 20, 2021 11:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] URL re-writing in emails

CAUTION: External message.
I've started shifting the education/training focus away from looking at the links themselves. Even legitimate links for 
GoogleDrive, OneDirive, etc. are difficult to determine if they are legit or not.

I've tried focusing mostly on context, which requires more common sense than technical expertise. Are you expecting an 
email from Wells Fargo? Do you have an account with Amazon? On the "technical" side, I ask people to look at the 
sender, especially how to differentiate between the display name and the actual smtp address.

Jim Bole
Chief Information Security Officer
University at Albany



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Walter Roshon <walt.e.roshon () WILMU EDU<mailto:walt.e.roshon () WILMU EDU>>
Date: Wednesday, January 20, 2021 at 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] URL re-writing in emails
We've found URL Rewrite causes problems of its own. As you mentioned,  it breaks one of the best ways of checking on 
the validity of a URL in an email. "We had been teaching folks to hover over URLs to determine the destination before 
clicking links. With re-writing, all links are changed for external sites so that advice is no longer reliable." and it 
makes us totally reliant on Proofpoint catching the bad URL, which I've observed to be unreliable. Sounds good in the 
Demo, but not so good in practice. I'd rather go without it so users can check and let Bitdefender catch the Phishing 
URLs on the client workstation. It excels at stopping users from following malicious URLs, but that's not my call.

Walt R
Wilmington University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Calbertb3%40WWU.EDU%7C39aceafd551d4741a8ed08d8bd797b7f%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C0%7C637467676750245915%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NhGrkjWQVfq2MH4egAVSyUkARI3nqrSFEl1hvzo16Pc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Calbertb3%40WWU.EDU%7C39aceafd551d4741a8ed08d8bd797b7f%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C0%7C637467676750245915%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NhGrkjWQVfq2MH4egAVSyUkARI3nqrSFEl1hvzo16Pc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

URL re-writing in emails Ravi Kotecha (Jan 19)
- Re: [EXTERNAL] [SECURITY] URL re-writing in emails Jason Edelstein (Jan 19)
- Re: URL re-writing in emails Brian Epstein (Jan 21)
  - DNS checking Nathan Phillips (Jan 21)
    - Re: DNS checking Menne, Michael S (Jan 21)
- <Possible follow-ups>
- Re: URL re-writing in emails Walter Roshon (Jan 20)
  - Re: URL re-writing in emails Bole, Jim A (Jan 20)
    - Re: URL re-writing in emails Beth Albertson (Jan 20)