Hi
while it sounds THE solution for alerting your users of a potential risk, this is very bad practice, as it will:
- reduce your users awarness
- tag a lot of false positive, making it even useless
- not tag the most dangerous false negatives
- put dkim protection down in a lot of cases, as subject could be a signed field.
hence I suggest :
- you start a read about dkim and add extension for dkim check in your client mail (thunderbird provides some)
- educate your users.
===
here few example why this is bad:
- let’s say you use a rule on from: if not your domain you tag it external.
* phishing 1 sent from director@yourdomain.com will have no tag and will be considered as safe by user. However it was sent from the smtp:malicious.hacker.co. Your user has now a backdoor on his computer.
* official email from TI@cra.gov.ca will be tagged and hence either ignored by your user, and you will miss the due date on your taxes, or your user will start understanding this tag is useless abd open the file anyway.
* after experience with email 2 your user fiels the alert should always be ignored and open the link in the message from noreply@email.teams.microsoft.com as it looks like all his M$ teams notifications. Unfortunately it was sent from malicious.unitedhackers.com smtp after few reverse social engineering to check what people your user knows.
in last two situations, the tag prevent your user from checking the signature of the email as it will always fails as you altered it.
in first situation having dkim enforced will tag this email as not from a legitimate source for the domain.
as a result tagging will not protect you. I do not say dkim is the solution for everything, but trying to solve a problem by removing one elements helping you to be safer is not the best approach.
I know a lot of big corporations and universities tends to do this… but does this really protect anyone?
1 Replies
219 Views