Thank you all for the great communication and constructive feedback we have been receiving since turning on Proofpoint. The messages you have been passing along have helped us quickly identify issues and resolve them.
Through the implementation, we learned new information about how Proofpoint functions. What follows are the lessons to date:
Routing email through Proofpoint changes the email header key values. As a result, Clutter is not able to recognize emails it has previously been “taught” to move. Please encourage your users to drag email messages to Clutter that they would like to go there so the system “learns” their preferences.
URL Threat Defense
URL Threat Defense does not work as we originally believed. Instead of rewriting URL’s that match specific patterns, Proofpoint rewrites all incoming URL’s. When a user clicks the URL, Proofpoint routes them to the original destination. If a URL is identified as a threat, then any additional clicks are routed to the blocked site message instead.
If the URL is written out completely (HTTPS://…), Proofpoint rewrites that full URL within the message. If a user uses a shortened link, Proofpoint will only rewrite the shortcut and users have to hover over the link to see the rewritten URL.
“Hurray! You got a File” Phishing Attack
I wanted to share the timeline of this attack and response so all of you can see the great work that is going on behind the scenes. Recently, ISO staff responded to alerts from Proofpoint regarding the “Hurray! You got a File” phishing attack.
At that time the message was delivered, Proofpoint had not seen that attack because it was highly targeted at UNO faculty and staff. Proofpoint’s URL Threat Defense rewrote the link so it could observe any suspicious behavior by the site. After four users clicked on the link, Proofpoint observed that the site was malicious. After determining that the link was malicious, Proofpoint blocked the link in 970 user inboxes who received the message and protected 6 more users who clicked the link but were redirected to the block page. About 15 minutes later, a second wave of the message came through. 1078 users never received the message because it was flagged by Proofpoint and blocked from being delivered to their inboxes.
Previously, a sophisticated attack like this could have caused hundreds of account compromises and resulted in days or weeks worth of work getting accounts secured and back to our users. In this case, we were quickly able to respond to the four specific people who clicked on the link before it was blocked and helped clear their accounts.
Proofpoint Secure Email Gateway to Enhance UNO Email System
On March 10, UNO added a layer of security to the campus email system. UNO began using Proofpoint to provide extra protection of students, faculty, and staff. Proofpoint adds a layer of security to our email through industry-leading threat analytics, URL & attachment defense, and the ability to sandbox incoming threats to provide real-time protection to UNO's community of users.
UNO uses Proofpoint to provide a secure email gateway to UNO users. After March 10, you may notice malicious links and attachments will be blocked (resulting in a redirect to a notification). During the introductory weeks, the Information Security Office will be actively working to limit the number of false-positives. If you have a link or attached that gets blocked by mistake, please contact the Information Security Office at email@example.com.
If you have any questions or problems, please contact firstname.lastname@example.org or Matt Morton, Chief Information Security Officer, at email@example.com.