Experimental Physics and
Industrial Control System

Hi Lewis,

I don't think we're going to get an exception from the URL rewriting implemented by ProofPoint. I considered the idea of trying to strip it out before writing messages to the tech-talk archive, but that's not easy. Many emails now come base64-encoded with multi-part content, and if a message containing a decorated URL is signed, stripping the decoration off would break that signature. Note that ProofPoint do recognize signed messages and don't try to decorate the signed sections, so if you want your messages to not get decorated sign them before sending to the list.

Below are some excerpts from Argonne's FAQ about ProofPoint. I've personally stopped worrying about this, it does work as advertised for me.

- Andrew

General

• What benefits does Proofpoint provide?

• Email phishing is a significant and growing threat to Argonne security. Proofpoint allows us to improve both the comprehensiveness of our email filtering defenses and the efficiency of our response when phishing emails are received. With Proofpoint, we are better able to determine which users interacted with a malicious email and deploy the appropriate remediation to minimize the impacts of phishing events.
• Why was Proofpoint chosen?
• Proofpoint meets required cloud security standards.
• Proofpoint is a leader in email security and used at DOE HQ and several other DOE labs (including ORNL, FNAL, LANL, LLNL, INL, BNL, SRS, and JLAB).
• Proofpoint integrates with our current mail solutions (Microsoft 365 and Ironport).
• Data aggregated from Proofpoint’s analysis is used to continuously improve their ability to catch malicious emails and links before they reach users.
• Every day, Proofpoint analyzes an extensive dataset which includes:
• 2 billion + email messages
• 49 billion + URLS
• 1 billion + attachments
• 28 million + cloud accounts
• Can I opt-out of Proofpoint protections?
• No. The new protections are being added to all Argonne email.

URL Rewriting

• What is Proofpoint’s URL rewriting?
• Proofpoint has the capability to rewrite URLs in a way that allows them to function normally but also provides additional protections.
• What benefit does link rewriting provide?
• URL rewriting helps evolve the laboratory’s protections to defend against more sophisticated malicious links. As attackers have shifted to using legitimate services for malicious content hosting in an effort to appear benign, reviewing URLs manually has become a more difficult task.
• The solution that performs the URL rewriting continuously monitors for new malicious sites. If a site is found to be malicious after the e-mail has been delivered, our e-mail protections will prevent you from visiting the malicious site. It also provides a mechanism for the Laboratory to identify who clicked the link before it was flagged and may need additional assistance. This protection extends to mobile and off-site devices.
• Does a rewritten link mean it is completely safe?
• No. Rewriting the link adds an additional layer of protection from Proofpoint that allows us to protect users if we discover that a malicious link was sent to them. However, it does not guarantee that every rewritten link is automatically safe. We still recommend caution when clicking on links (and attachments) you do not expect or that are from unknown senders.
• How can I check a rewritten link? Does hovering over a link still apply?
• Prior to clicking a link, one way to confirm the link is to hover your cursor over it without clicking. Wait one or two seconds, then you will be shown where that link will lead.
• For emails sent from external sources, URL rewriting will take the original link and insert a prefix of “https://urldefense.us/v3__” and add a suffix with a “__;” (highlighted in yellow below) followed by a string of random numbers and letters. A fast way to identify the original link (highlighted in green below) is just look between the sets of two underscores.  
• The unhighlighted portion is a unique string that allows us to take advantage of protections, so this string will change for every rewritten link.
• Please do not attempt to bypass the rewritten link protections because this puts you at risk.

• Will I still be able to access one-time links and password reset services using a rewritten URL?
• Proofpoint preserves the original link contents and navigates to the original link after passing through the protection service. One-time links and password reset services should function as usual.

On 03/26, J. Lewis Muir wrote:

> On 03/04, J. Lewis Muir wrote:

> > On 03/04, Johnson, Andrew N. wrote:

> > > The uldefense URL wrappers are now being added to all messages sent to

> > > the tech-talk at aps.anl.gov list from outside of Argonne.

> > > [snip]

> > If the change can't be restricted to messages delivered to individual

> > employee's email inboxes, then sadly, I'd vote for moving outside of

> > anl.gov...not that my vote counts for much.

> 

> Hi, Andrew!

> 

> Any word on this?

> 

> Thanks!

> 

> Lewis

Ping?

Lewis