Re: URL re-writing in emails

[Brian Epstein <bepstein () IAS EDU>]

Hi Ravi,

We investigated URL re-writing tools a number of years ago.  We also teach our folks to hover over links and try to 
determine if they are malicious or not.  Another worry was for signed emails.  Changing the URLs will break the 
signature.  I would check with your vendor to see if they have a setting that allows you to address this concern.  
Maybe they can not re-write emails that are signed (although, signing an email isn't that hard, so does it help)?

As opposed to re-writing anything in the email, we chose to go the route of a DNS checking system.  Cisco Umbrella 
(formerly OpenDNS) gives us this ability without having to re-write the URLs.  This is definitely not a full 
protection, either, and also has its own issues.  For example, anyone who checks their email off campus needs to be 
connected to our VPN to get this protection.  Umbrella offers an agent for client devices that aren't on our network, 
but we try to avoid requiring agents.  We could also limit email connectivity from our campus IPs, but that would 
probably create an unwanted burden on our clients.

We found that DNS checking was better received by our clients than URL re-writing.  I would say that this is highly 
dependent upon the culture of your school and expectations of your faculty and staff.

All the best,
Brian

-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security, CISO     Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

----- Original Message -----
From: "Ravi Kotecha" <kotechar () BRANDEIS EDU>
To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, January 19, 2021 6:13:05 PM
Subject: [SECURITY] URL re-writing in emails

Greetings,

I'm curious about your experiences using tools that rewrite URLs in emails.
We have Proofpoint's suite and one of the features rewrites URLs in emails
with an https://urldefense.com/ prefix and clicking the link will pass
through Proofpoint's servers.

One piece of feedback we received in a pilot was that we had been teaching
folks to hover over URLs to determine the destination before clicking
links. With re-writing, all links are changed for external sites so that
advice is no longer reliable.

I'm interested in experiences others have had using this feature. For
example:
- Have you received negative feedback? If so, how have you addressed it?
- How have you augmented awareness training?
- Are there any success stories you wish to share?

Thanks in advance,
Ravi Kotecha
kotechar () brandeis edu
--
Ravi Kotecha '10, M.S. '14, M.S. '20
Privacy & Information Security Analyst
Information Technology Services
Submit a security request: security () brandeis edu
Report phishing: phishing () brandeis edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature