ExchangeDefender Phishing Firewall Whitelist and Blacklist explained
ExchangeDefender Phishing Firewall goes online tomorrow, and we wanted to explain our policy and our implementation of the URL rewriting/redirection because it is a departure from a traditional IT hierarchy where organizational policies override group and user requirements.
Our goal with ExchangeDefender PF is to provide a level of alert and notification to our clients that is designed to provide additional information about the link they clicked on. As we scale this service out, that will be it’s purpose: Be aware of what you clicked on, and prepare for what you’re about to see. Phishing, and spear phishing in particular, is designed to be a convincing fraudulent identity theft of an organization you know and trust (your bank, your coworker, your vendors) and our goal is to help you discern if something is valid or not.
Our whitelist/blacklist implementation is in line with “we inform, you decide” mantra, as we cannot outright block you from actually going to the dangerous site. That is the responsibility of your IT department, your network management, and your organization.
How do Whitelists and Blacklists work?
In ExchangeDefender we have 4 sets of whitelists and blacklists: user, domain/organization, service provider, and global. Our global lists are automatically populated for our service providers and when they protect a domain with ExchangeDefender, those entries are applied on the domain/organization level, and further down to the end user. As we continue to monitor, manage, and get additional intelligence about dangerous sites we will continue to curate these lists as a part of the service.
For example, we might find out that *.vlad8150.microsoft.net is a Microsoft Azure instance that is attempting to spread malware. We will promptly add it to our global blacklist and that site will now be blacklisted for every ExchangeDefender user. When they click on a link that leads them to that domain, they will see the ExchangeDefender PF notice with the URL in red. User will then have the option of ignoring it and proceeding to the site, or adding it to their whitelist. If they whitelist a domain/web site, any future requests will bypass ExchangeDefender PF web site and automatically redirect to the target URL.
The hierarchy of whitelists/blacklists is as follows, whichever rule is defined on the top is the one that is applied to the user when they click on a link.
But why, why not implement policies like NTFS, access list, or any other policy in which global deny rules override end user policies?
Simply put: Traffic blocking should be done on the network level. We are simply the alert service, we will advise you when we see something dangerous and it’s up to you to discern if the site is trustworthy or not. We believe that this implementation will cause the least amount of interruption to the day-to-day use.
That said, we have been working on additional controls and policies to help our service providers and CIO’s better enforce company security policies. As with everything, security policies must be implemented in layers – and dangerous content should be enforced in accordance to business requirements. This means that if your clients should not be downloading .exe files, the network firewall should be doing that. We don’t have the means to do that as an email service – users can right click on the email, put it in notepad, remove https://r.xdref.com/url= from the link and go straight to the web site.
How do we manage them?
ExchangeDefender PF whitelists are available at every level of ExchangeDefender. Simply add a site to either a whitelist and blacklist and ExchangeDefender will automatically propagate your rules down through the entire organization. Users will have the ability to add / block sites from the ExchangeDefender PF in real-time and their settings will be preserved in their account only.
P.S. Officially the service goes online tomorrow, unofficially it’s been in place for months we just haven’t rewritten a single URL except for the emails you received from us – we have worked very hard on the implementation and we don’t expect major problems but will have staff on hand around the clock to address any issues immediately. Spear phishing is an epidemic, over 90% of compromises start with a link in an email. We will handle any glitches, bugs, and issues as fast as possible and have full confidence that having an alerting service with potential problems is far more useful than having nothing and leaving clients exposed.
ExchangeDefender Phishing Firewall FAQ
ExchangeDefender Phishing Firewall officially launches tomorrow, June 12th, 2019.
Every service provider and every user will be contacted with the information about the new service. Since some users may see the redirection site, we wanted to assure everyone was aware of the service, how it works, what it looks like, and what it does to protect them.
Note from Vlad: We hate changing the user experience. We understand that every time we change anything there will be an issue, folks don’t like having their cheese moved, I get it. However, this isn’t a futile exercise in self-promotion, up-selling, cross-selling, or useless noise: we are doing this to eliminate the problem that 90% of security compromises are triggered by. This implementation comes down to ethics: If I know that something is 90% likely to hurt you, and I have the means to protect you, and I choose to let you get hurt anyhow… why would you ever do business with me or ExchangeDefender? I understand we may lose some business over this, and I am willing to make less money in order to do a better job for people that trust us with their business.
Here are the answers to some questions we’ve already received:
Q: Does ExchangeDefender PF work on every device I receive email on?
A: Yes, ExchangeDefender PF automatically encodes all links sent through our system in HTML messages and redirects them through ExchangeDefender PF. This means that the link will be secured no matter which device you use to access your ExchangeDefender-protected email.
Q: Does ExchangeDefender PF protect me from non-email links?
A: ExchangeDefender only protects you from email links in HTML messages sent to your email address through ExchangeDefender. If your mail client downloads mail from 3rd party external services (Yahoo,
AOL, Microsoft, Google) that are not protected by ExchangeDefender, you will not be protected.
Q: Is ExchangeDefender PF available in ExchangeDefender Essentials?
A: ExchangeDefender PF is only available in ExchangeDefender Pro and ExchangeDefender Enterprise.
Q: Is there any way to turn off URL encoding for specific domains or users?
A: ExchangeDefender encodes the URL at the edge, as the message is being scanned for malware and other phishing forgeries.
Q: I don’t want to see the ExchangeDefender PF warning/site, can I bypass it?
A: Yes, you can simply whitelist the domain and ExchangeDefender PF will not be displayed. Whitelisted domains are automatically displayed without ExchangeDefender PF. ExchangeDefender maintains a list of known good/legitimate domains so the likelihood that you will see a dangerous (or questionable) website is very low. Additionally, your IT department or IT Solution Provider has access to organization-wide whitelist and can bypass ExchangeDefender PF to any site you need to visit.
Q: Is it possible to still get hacked/compromised even with ExchangeDefender PF?
A: ExchangeDefender PF simply applies your organizational policies to traffic and gives you additional information about the link you have clicked on. If you ignore warnings, or if you proceed to a dangerous site as a part of your organizational policy, you can still be compromised.
Q: Is there anything special I need to do on my network in order to support the redirection?
A: No, you should not have to make any modifications to your clients network in order to support this. If you do something exceptionally unusual (we would have contacted you separately, DoD requirement) and only have an allow access policy while blacklisting the rest of the Internet, redirection happens through https://r.xdref.com domain that needs to be in the safe sites.
Q: Can I turn URL rewriting off?
A: The ExchangeDefender URL rewriting code is implemented at the edge without regard for domain/user policies. In order not to introduce delays in processing, this is a global rule. If you are concerned about your clients seeing the redirection screen, whitelist the domains they typically go through. If we get complaints about it, we will look at deploying this policy further down in the scanning path which will slow down processing times for domains that opt out of the service and that feature is already in the development queue.
Q: Can I see the copy of the messages you are sending users, so I know what to expect?
A: Here is a copy of the message in PDF and Outlook format.
Q: Will the links stay live for X number of years for compliance purposes?
A: There is no expiration date for the links, as clearly stated in our Privacy Policy we do not collect or archive the links that you click on or that we encode, they will stay in your downloaded / cached / archived messages. While many regulatory requirements have message retention policy expectations, those requirements do not extend to external content, ie: you have to archive the message, you DO NOT have to archive the documents that are externally linked on third party sites. Either way, messages will continue to redirect as long as we stay in business.
Q: Can I get a list of good/bad sites for my compliance records?
A: Please contact our compliance officer at compliance@ownwebnow.com with the letter from your regulatory body and we will do our best to provide this confidential information ASAP.
ExchangeDefender Service Provider Branding
ExchangeDefender is happy to announce the enhancement of it’s Service Provider branding options. ExchangeDefender is primarily distributed and managed by other IT Solution Providers (MSPs, VARs, IT professionals) and we have exposed as much of our infrastructure as possible for white label functionality. Starting this week, we are also encouraging you to brand messages sent by ExchangeDefender:
ExchangeDefender Email Notice Branding is available at https://admin.exchangedefender.com under your Service Provider login. Click on Configuration > Branding and you will see a section that will allow you to provide any content you’d like us to include on messages sent to users automatically.
We encourage all of our Service Providers to provide at least their basic contact information and a note in this section. While we are always concerned with our partners brand, system notices and urgent security issues may at times require us to contact the user directly. In the event that we do that, it’s helpful for the client to see your information at the top of the message instead of the bottom.
We’re also working hard on delivering additional features to ExchangeDefender sites, so if you have any suggestions or wishes, please let us know by hitting the feedback link anywhere in our system.
P.S. This feature was discussed in detail during our webinar on June 6th, 2019. Watch the webinar here: https://www.exchangedefender.com/media/XDNewPhishing.mp4
ExchangeDefender: Overhaul of Phishing Protection
ExchangeDefender is thrilled to announce the new Phishing Firewall in the cloud, going into full production – Wednesday, June 12th, 2019 for all ExchangeDefender Pro and Enterprise protected clients. The old way of highlighting, underlining, inserting warnings and so on will be removed from the service at the same time because it lacks the ability to protect clients in real-time.
The ExchangeDefender Phishing Firewall (EPF) is a real-time, active pishing protection. As ExchangeDefender processes inbound mail, it will rewrite every link to proxy it through EPF when user clicks on it. If the site is safe, the user will be automatically redirected to it and will not even know that EPF is in the way. If the site is not on the safe list, end users will see this warning:
They will have the option to just click on the link and proceed, add to whitelist (at which point they are automatically allowed through in the future) or add to blacklist.
Because of the way phishing works, and all identity theft or forgery in general, it is impossible to secure email messages in transit without making annoying modifications to the message that often distort the look and feel of it. Majority of those links are in the 95% of the mail that passes through ExchangeDefender as SPAM/SureSPAM, meaning that they would never even be seen by anyone. By moving the Phishing Firewall to the cloud, we can now secure every device and provide additional metrics and advisory on top of it to protect our clients from 0-day exploits.
This feature is provided to our clients free of charge and replaces expensive “security awareness training” solutions that users typically hate and do nothing to adequately secure the client. With Exchange Phishing Firewall we enable our clients to create custom policies, maintain whitelists, blacklists, get enterprise reporting and more. It further allows us to go one step beyond – in the upcoming releases we’ll offer the ability to display a screenshot of the site as well as link intelligence data (How long ago was the domain name registered? Where is the IP you’re about to go to located? Is the domain a close spelling error of a widely recognized site? Is the forged site just a cloud hosted Google, Microsoft or Amazon cloud service instance that is holding or redirecting you to another more dangerous location?)
If you’re currently on ExchangeDefender Essentials, we encourage you to schedule a demo with our team to check this feature out as it’s significantly cheaper than antivirus or “security training” solutions and will do a far better job. If you’re on ExchangeDefender Pro or ExchangeDefender Enterprise, you will get this feature free of charge. On Monday, June 10 we will send an email notification announcing this launch to our partners, MSPs, and Service Providers. On Tuesday, June 11 we will send an email notification to end users. Finally, on Wednesday, June 12th we will go live with the service and hope to minimize the annoyance of phishing once and for all. Email is the single most popular attack vector, with 91% of the compromises starting through a phishing attack, and we look forward to protecting all our users even better.
Phishing: Beware of Strangers
This Thursday, June 6th, we will be announcing a major overhaul in the way we deal with spear phishing SPAM. No, it’s not a mind-blowing patent-pending stroke-of-genius sort of stuff, it’s much closer to what your parents told you growing up: Don’t get into a car with strangers don’t click on links or open attachments from strangers.
In a way, ExchangeDefender has had protection from this issue for years. If you had a decent IT Solution Provider implementing ExchangeDefender for you, they would have setup your SPF record and eliminated this issue – but many don’t. Or they would have turned on ExchangeDefender protection where all messages spoofing/forging your domain would automatically get junked – almost none of them do. Which is why ExchangeDefender as a service has become less of an IT tool and more of an end user suite of services to get stuff done.
When features like this are left disabled “because they might become support issues” it becomes really difficult to secure users. But I get it, IT companies have a business to run too, which is why we’ve really stepped up our support efforts and are going to be there to help folks get things done without becoming an additional problem for the IT department. Doing so has really made us rethink how we implement features and how the service behavior needs to speak the same language as the end user. Which brings me to phishing beyond forgeries.
Can you spot a stranger?One of the new phishing protection features in ExchangeDefender will allow you to flag messages that are coming from outside of your organization. You will have two settings – to modify the subject and to modify the header of the message so when you look inside of your mailbox you’ll know what came from a stranger right away. Try it:
Even from the message listing you’ll know which messages shouldn’t even be opened. But suppose you ignored even that – you can set another warning, printed inside of the message, giving the user even more of an instruction of what to do.
Warning: Message was sent from outside of the organization. Do not click on links or open attachments if you don’t recognize the sender.
Far from subtle. And it has to be – because most people check email quickly, between tasks, or are simply interrupted by it. ExchangeDefender has your back, and we’ll make sure we alert you to possible issues before they become problems. Which we hope everyone will be aboard with.
Please join us, June 6th at Noon, for our NEW webinar featuring ExchangeDefender’s Phishing and Spoofing protection, plus see what’s new with Encryption, WFS, and Wrkoo!
ExchangeDefender Web File Server gets even cooler – 5 new features!
It’s been less than two weeks since we released the highly anticipated upgrade to ExchangeDefender WFS (Web File Server / Web File Sharing) file collaboration portal. The usage of the service spiked as a result of the webinar, but it has been increasing on a daily basis ever since – don’t worry, developers and IT noticed – so we’ve been cranking ever since. As usual “it would be cool if it could do ” and “I have a ton of clients that need this, can it do ?” and we’ve been working overtime at the expense of other projects to get this done correctly (it’s being developed concurrently with ExchangeDefender Encryption and some other cool stuff).
Anyhow, I wanted to take a moment to show you what we do with your feedback.
First, yes, the old UI was a little bit clunky and REALLY slow by modern standards. We’ve fixed that, but it required redesigning how we actually build the library and how you interact with it. Since the last update we have split file upload from library creation – with the idea that the person that starts the library may not be the one contributing or sharing most of the documents in it.
As you can tell, there are some new features in here – permissions and smarter email notifications to be specific. With notifications, we’ve introduced a mechanism to send you an email notice (and soon something much, much cooler) when someone downloads a file from your library, as well as a notification whenever a file is uploaded. If your document management practices haven’t changed since the last decade, you’ll probably love this.
File management, or “actual work” as we like to call it, is on the next screen and is far more interactive. You can now upload files up to 500Mb (system max will eventually be 4GB) and as long as you’ve got a decent Internet connection you’re set. Drag and drop works too.
Once you’ve got your libraries together, you can actually pick up to 3 favorites. Those will be pinned to the top of your dashboard so you can access them quickly:
Now this is where things get cool and leave old “file sharing” stuff in the dust. If you’re working with others, particularly if they are contractors or not in your organization, you’re getting notices via email. ExchangeDefender WFS supports that by default, enjoy making your Outlook even slower and less productive. I’ve got something better. See that panel on the right? It shows you recent activity. Yes, this means that once you log in you will be able to see which files got changed, which libraries you got added to, what happened. And you will be able to plow through all the files and libraries and catch up with everything within a minute.
Next we’re embedding even more chat/discussion/notes to it so you can say goodbye to having to compose or respond to emails entirely. The big idea is that organizations are always sharing files but they are either stuck with old technology or old restrictive (and often insecure) platforms to do so. Say hello to ExchangeDefender WFS. It doesn’t look to “Windows File Sharing” first, it looks at collaboration first. Cause that is what people do with documents – they work on them together – be it creative, administrative, processing, logistics – life revolves around getting data and distributing it – and we’re making sure you can do that as securely and as productively as possible while getting rid of the “traditional IT way of doing it”
Everything you see here is a result of user feedback. So please, as you use our products and services, if we can help you please tap the Feedback link that is on every page and help us build something awesome.
P.S. Oh by the way, WFS now also supports versioning and revision control/notes. You’re welcome! 🙂
Pro Tip: How to Pitch Encryption and Compliance
Here is something that MSPs always get wrong when it comes to proposing Encryption and Archiving (HIPAA, compliance, eDiscovery): You can’t be something you’re not BUT you have to know the service you’re proposing. More on this topic tomorrow (if I can sneak it by the marketing)
Posted by ExchangeDefender on Thursday, April 5, 2018
Here is something that MSPs always get wrong when it comes to proposing Encryption and Archiving (HIPAA, compliance, eDiscovery): You can’t be something you’re not BUT you have to know the service you’re proposing.
Want to see part TWO of this video?
Disclaimer: There is tasteful profanity and light nudity to really drive the point of how to better interact with your clients. 🙂
ExchangeDefender: Become a Partner
VIDEO: Live Archive keeps emails up, and running!
So here is something that has always worked for me: everyone hates outages. Regardless of why I’m invited to speak to anyone about ExchangeDefender, and the billion problems we solve, I am here to help you with just one thing: uptime. If things are working, we can sort everything out, but the fear of the new unknown solution causing downtime is the #1 thing your client is thinking about. So address it first.
Posted by ExchangeDefender on Thursday, March 29, 2018
What’s this video about? Live Archive.
So here is something that has always worked for me: everyone hates outages. Regardless of why I’m invited to speak to anyone about ExchangeDefender, and the billion problems we solve, I am here to help you with just one thing: uptime. If things are working, we can sort everything out, but the fear of the new unknown solution causing downtime is the #1 thing your client is thinking about. So address it first.
What is Live Archive?
Access your email via the cloud when outages happen.
Organizations are constantly facing internet and email outages, maintenance cycles and service unavailability. The key to productivity is being able to access your email even when outages happen Exchange Defender LiveArchive Business Continuity is the solution.
As you send and receive email, we make a copy and store it on our network – when you experience an outage you can just pull up a webmail system on your computer, tablet, or phone and continue where you left off.
Visit Exchange Defender: Email Security, Archiving, and Business Continuity solutions
2018 Best Sellers: ExchangeDefender Email Security Features
We’re almost done with the first quarter and I wanted to take a moment to brief you about the features that are driving sales the most. These figures were taken from the top 10% of our managed services partners (MSP) in the small and mid-market segment (so they aren’t skewed by distributors, ISVs and large government/enterprise orders). I want to give you an idea about what is selling out there and hopefully these are the same conversations you’re having (or should be having) in order to grow your business.
70% of our MSP’s say these email security features are making them money in 2018.
.
Compliance Archiving
In Compliance with HIPAA, GDPR, Sarbanes-Oxley, SEC, PCI regulations.
We are continuing to see a massive shift from email backups to email Compliance Archiving. In a nutshell, our Compliance Archiving offers companies the ability to store up to 10 years of inbound, outbound, and interoffice email in the cloud where it meets dozens of regulator compliance, government and eDiscovery standards. Not only does it eliminate the pain point of managing backups, but it enables users to quickly and easily locate messages they are looking for on their own.
SPAM Filtering
Spam accounts for 14.5 billion messages globally per day. In other words, spam makes up 45% of all emails.
The more people move from their Exchange servers to the cloud (and Office 365) the more they realize how good they had it while their security was layered by their MSP managed solution. While everyone goes to the cloud hoping that “it’s good enough” SPAM filtering will work, companies quickly find out that the few bucks a month they were spending to keep trash out of the mailbox was really worth it. I have spoken to so many MSPs that couldn’t convince their clients to keep ExchangeDefender as they went to the cloud and that within a week of making a move to Office 365 they were right back on it – some unfortunately due to immediately failing an audit and phishing stuff flying through (more details on Phishing Protection and how to promote it later)
Encryption
Encryption use is no longer optional.
As we pick up the pace on the rollout of our Compliance Manager service, we are seeing a lot of sales made on the back of Encryption (free) and Corporate Encryption (addon) services. I’ll admit I have not spoken to a ton of people about it, but feedback we continuously get about the service is that regulatory requirements in several industries are finally starting to be taken seriously: health care, banking, mortgage/finance, CPA, and sales activity is typically the highest during Q1 and it’s also the time those industries go over their business process and direct their staff to use new services. Every time someone uses the encryption process in ExchangeDefender we seem to get more interest for the product from the third party that received the message so if you’re not promoting it, you’re missing out on real world demand.
Our top email security solutions offer must-have features for any business.
As I mentioned in the introduction, these are the services that are in demand now – so if they aren’t front and center in your promotional collateral you should be talking to our marketing team (!!! Action Item). Remember that companies will not pay for a service that is nice to have or even one they are required to have – they’ll only pay for things that either grow the business or reduce problems and make workers more productive and profitable. SPAM filtering makes people more productive while encryption and compliance archiving make problems related to backups and lawsuits go away. Since these features are part of a service every single user interacts with daily, they aren’t like to want to cancel it, giving you the opportunity for a long-term revenue generator.