Has anybody tried disabling hyperlinks in all incoming e-mail? This is purely theoretical - I haven’t attempted it - but since most of the problems we have with phishing and ransomware are caused by users clicking on links. I bet the extra step of copying and pasting a fully visible address instead of mindlessly clicking on a link would make them think about how legitimate the e-mail is.
I’ve seen products strip html content but this sometimes caused legitimate emails to get all jumbled up as, for e.g. some clients use HTML format emails not only in the content but also in signatures, etc.
I use Vipre endpoint. The Outlook module strips malicious links. Works good so far. (but strips the KnowBe4 phish links too
At a bank I used to work for, the policy was plain text only for emails. I won’t be able to get this past my current CEO , but I would implement tat policy in a heartbeat.
We just moved to Proofpoint and activated URL defense. Like others, they re-write the URL, scan it, and send the new URL hyper-link. When the email arrives, hovering over the link identifies immediately that it has been re-written. If the link goes to a tested, clean site, you are able to click through and go to the link. If there is a threat on the site, Proofpoint throws up a “BLOCKED SITE” (or something similar) and prevents access.
This has saved in numerous times already. I endorse this aspect wholeheartedly.
As ssafra mentioned, we use Proofpoint and it helps on that aspect.
Another method that has helped is to add a header to your subject line, preferably on a red color:
- External Email Alert:
This message alerts the users that an email is coming from external domains and that they should be more careful about their interaction and the content on that email (clicking, files, etc…).
What about those sites that are set up a an apparently benign site, the emails are broadcasted all over, the Proofpoint or other protection software sees the links as OK and does not block them, then hours later but before people open their emails the linked site is changed into a malicious site?
You bring up a valid and legitimate point in your question, Carl. This is, and always will be, a case of playing catch-up and doing what is possible and prudent. What works now and today, may be ineffective later today and into tomorrow. These jerks are always ahead of us and we find ourselves in the loosing position of waiting to see what they do next. You are 100% correct in your forward critical thinking and maybe together we could come up with a plan
I like this idea, I think we might try that…