On URLs

David Humphrey |

Today I received a phishing email. There's nothing unique about this, as I get them most days. Here's what this one looked like:

Email

I deleted it, and went on with my day. Then I started getting emails from colleagues who had clicked the link:

This is a simulated phishing test by ITS. Had this not been a test, clicking a malicious link could have caused great harm to the College and yourself including virus infection, ransomware, and breach of policy.

Nice. So this was actually an educational awareness campaign from our IT department.

Let's take a closer look at this email. First, the "malicious link" we were to make sure to avoid clicking (NOTE: I've removed my email address, which was also embedded in this, which breaks the link):

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fparcel.fipsparcel.com%2Ftrackid%3D2Z2601682439486574%2Fstatus%2Fe1ec69%2F1c1a1760-f1b7-4466-bd13-0426dd61ce85%2F%3F&data=02%7C01%7C%7C5d900284122740ee017208d50596fa45%7Ceb34f74a58e74a8b9e59433e4c412757%7C0%7C0%7C636421068356213987&sdata=HDc6uWRTiIHV3Ip%2FP5c4lslHXrrL3lY8eH23IcAfmJA%3D&reserved=0

Oh, I should also mention that this same IT department recently turned on Microsoft's Advanced Thread Protection, which rewrites all URLs in emails like the above. That's right, every URL in my inbox looks like this now:

https://na01.safelinks.protection.outlook.com/?url=...

So is that link safe to click? Would you click it? What if the context around it was further removed (e.g., if you didn't have the ridiculous email about a tracking notification for a package you didn't order)? What if you got an email from me with a link to a blog post I wanted to share?

I'm not an InfoSec expert, and I don't pretend to have all the answers to online security. I do know that I shouldn't trust links from remote sources. But when you explicitly prefix every link I get with safelinks.protection.outlook.com, and then hide the rest of the URL in an encoding that I can't parse in my head, it sure makes it seem like something has been done to check this link, and it's safe. Or maybe it means that clicking this will test it for me when I click?

Let's instead take a look at the raw headers for this email:

...
Received: from phishme.com (localhost [127.0.0.1])
	by mail.nova.phishme.com (Postfix) with ESMTP id 3y2FGx53JqzF7R5
...
X-PhishMe: Phishing_Training

One would have a better hope of making an informed decision about this email and its intent if we could see the actual info in the email, in the links.

As it stands now, the lesson my IT department seems to be sending me is that I can no longer use their email system.

Message received.

Also, here's a safelink you can click, or is it?

Show Comments