Johannes KoskiApr 1

In an amazing feat of cybersecurity, the IT department now injects a warning at the start of all emails that originate from outside my organization.

This fucks up the mail preview. Now, all external mail (meaning like 60 % of my inbox) has the preview "NOTE! External sender." It makes finding the right email difficult and obfuscates the contents making it actually more difficult to gauge their veracity.

Show threadJonne ArjorantaApr 1
@personamatters Our email system obscures all links, making it impossible to tell whether they are pointing to legitimate sites or phishing attempts.
Show threadHenrik LievonenApr 1
@jonne @personamatters Luckily Thunderbird has “Unmangle Outlook Safelinks” extension which makes the links readable again.
Show threadJohannes Koski

@HenrikLievonen @jonne There are also multiple Safe Links decoders online, which I would imagine are great places for some shenanigans if one would wish to capture data (Safe Links contain the recipient's email address) or inject harmful redirects (how often does one check the decoders' output if it's about what you'd expect).

I hope someone's done some calculations at some point in the process to see there's some merit in Safe Links, but... I wouldn't count on it.

Apr 1 at 9:04amWeb
Show threadMarkus PeuhkuriApr 1
Unmangling is quite trivial, I have unoutlook.py script that is about two liner. (Not currently on hand, sorry.)
It is needed e.g. in some cases when Microslop redirect breaks sites; browser reports redirecting too many times. With unoutlooked URL, works just fine.
@personamatters @HenrikLievonen @jonne
Show threadJohannes KoskiApr 1

@puhuri @HenrikLievonen @jonne Nice! I'm actually a little surprised MS doesn't provide an unmangling functionality by default.

At least in less technical fields people just copy-paste Safe Links or use random online decoders.

Show threadMarkus PeuhkuriApr 1
The Outlook app does provide preview "original URL" (it is in message HTML).
Of course, the whole functionality is totally backwards. Instead of server modifying (corrupting) emails, the client software should take care of checking if the link is bad or not when the user clicks on it. Who makes most popular o365 email client?
Unless the goal by Microslop is to collect all link activity data to be utilized and sold. But of course they are not that evil.
@personamatters @HenrikLievonen @jonne
Show threadaquntApr 1
@puhuri @personamatters @HenrikLievonen @jonne safelinks are a way to verify if user has clicked the link.
Security software cannot go and check the links by themselves as it would unsubscribe from shitloads of news letters. So what they have done is safelinks. After a user has clicked the link and hopefully the EDR has verified if the site is malicious they can make the verdict. Then they can alert all the users who have clicked similar link.
Show threadaquntApr 1
@puhuri @personamatters @HenrikLievonen @jonne it is annoying but can’t really blame them. It might be the only way of verifying which users have been compromised.
Show threadMarkus PeuhkuriApr 1
The client software could keep track all of that without need to mangle emails. Just plain stupidity to do it that way.
And btw, the MS system does visit links before me. When the system was introduced, got lots of "link already used" errors from systems that had side effects with GET that is forbidden (must use POST).
@aqunt @personamatters @HenrikLievonen @jonne
Show threadaquntApr 1
@puhuri @personamatters @HenrikLievonen @jonne it would work on client side as long as only MS clients and MS browsers would be allowed (like my employee org unfortunately).