The Network Services Team has enabled an enhanced security feature on the University’s Cisco Iron Port email security appliances. This feature, known as Outbreak Filter Message Modification provides greater security to the University email systems. This security feature prevents the execution of malicious hyperlinks contained in email messages.
Why has the University enabled Outbreak Filter Message Modification?
A common tactic of malware operators is to send email to an unsuspecting user that contains a hyperlink which redirects to a compromised web site. Though the email message itself did not contain a virus, the hyperlink contained in the message redirects to a web site that infects the computer with a virus, or tricks the end user into entering their Samuel Merritt University username and password. Such messages often purport to be from the helpdesk and request that the user ‘validate’ their mailbox in order to prevent their email account from being removed, or rendered unable to send and receive mail. These compromised websites seek to harvest credentials of legitimate users on the network for the purpose relaying phishing scam emails through the University email system. Operators of phishing websites abuse the good reputation of reputable senders by using legitimate email servers and addresses so that other organizations will accept the spam messages from a non-blacklisted source. The end result in some cases has been the University has suffered a damaged reputation as a legitimate sender of email and in cases has become blacklisted.
How Does Outbreak Filter Message Modification protect the users of the email system?
This security feature complements the Anti-Virus, Spam Filtering, and Reputation Filtering already in place by further examining hyperlinks contained in email messages. Many hyperlinks present no potential threat at all and are simply passed on. Examples might be a link sent via email to a research article on a legitimate website.
Other email messages may arouse the suspicion of the outbreak filter due to the nature of the message or the links contained within. Typically these are messages that contain links that execute code on a website, which may or may not be dangerous.
Many such links are not harmful directly, but may harvest information for marketing purposes regarding the web browsing habits of users, or invite the user to take an action such as logging in to a website, or provide personal information.
These are not necessarily sites that are malicious, but there is potential for abuse due to the nature of the activity invoked by the link. Messages such as these that are flagged by the filter and the subject line is prepended with the tag [SUSPICIOUS MESSAGE].
Hyperlinks contained in these messages are altered by the email security appliance, and when clicked will redirect to a Cisco operated security site that scans the destination location for malicious activity.
In the case of a site that scores positive for malicious intent, the redirection will be denied.
In cases where further evaluation may be warranted, a user will see something similar to the example below:
Example: a hyperlink from a legitimate sender, in this case Microsoft requests that the user log on to a web page
Example Continued: The link is evaluated and redirection is granted, however the user must choose to visit the site, or exit.
In this case, this is a legitimate link that simply redirects to a login portal known to the user. The link was flagged due to the nature of the activity, inviting a user to enter credentials. Clicking the green button allows redirection.
Please Contact the Network Services Team firstname.lastname@example.org if you have further questions regarding this email security feature.