Microsoft Advanced Threat Protection is a disaster

tl;dr: I’m pulling my hair out about this terrible email security service that is ruining my work email, so I blogged about it.

My employer uses Microsoft Exchange for university email. It recently purchased and implemented the “Advanced Threat Protection” package, primarily to combat phishing. The “Safe Links” feature, in particular, is a disaster. Pitt’s webpage explaining this service is here. Microsoft’s is here.

So the “Safe Links” feature replaces all links in incoming emails from outside servers with links that begin with “https://na01.safelinks.protection.outlook.com ” and are followed by several lines of complex code. This is a solution of sorts to phishing scams, but seems to have exactly the opposite effect as it should. For example, I now regularly receive emails with links such as this:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.tandfonline.com%2ftoc%2ftmam20%2f10%2f1&data=01%7c01%7cbickford%40PITT.EDU%7ca9f7b386fae94ca994bb08d38e3a59bb%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=st79jNKGyGbI%2fcDprP%2fgra%2fTQz7lni5uZCS7a1W83OI%3d

In emails formatted with HTML that would be embedded as a link. In plain text emails the whole link is included in the text.

This is bonkers for several reasons:

(1) Security

My normal approach to potential phishing emails is to check whether the links go to the expected servers or not. If I look closely at the above link I can see that it may resolve to a site on the domain http://www.tandfonline.com, but there is no way to actually confirm that without actually clicking the link. That, then, requires me to trust that the Advanced Threat Protection service will in fact catch every potentially malicious link and will never go down. But, predictably, this service has already had major vulnerabilities that let malicious links through and apparently lasted for months.

This trains users to blindly trust long, complex links in general. One of the ironies here is that Pitt’s IT office recently implemented a “Phishing Awareness” program, to train and encourage email users to be more careful about phishing emails. That campaign tells us:

You can identify a phishing scam by looking for email messages that:

  • Create a sense of urgency
  • Invoke strong emotions, like greed or fear
  • Request sensitive data
  • Contain links that do not appear to match legitimate resources for the organization that is contacting you

So when you receive an email that seems to create a sense of urgency, invoke strong emotions, or request sensitive data, before you click you should check the links to make sure they go to expected servers.

The Safe Links program makes this impossible. Now when you receive an email that seems to create a sense of urgency, invoke strong emotions, or request sensitive data, you can’t confirm that the link goes to the expected server, because all links go to https://na01.safelinks.protection.outlook.com!

That domain itself is much more complex than normal. I can look at

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.tandfonline.com%2ftoc%2ftmam20%2f10%2f1&data=01%7c01%7cbickford%40PITT.EDU%7ca9f7b386fae94ca994bb08d38e3a59bb%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=st79jNKGyGbI%2fcDprP%2fgra%2fTQz7lni5uZCS7a1W83OI%3d

and confirm that it ends in “outlook.com” as the top-level domain. But it is a lot of work to parse. And it is so complex that it would be relatively easy to imitate and confuse even sophisticated users with small changes, like one more top-level domain.

With the Safe Links program, users now have no choice but to trust that the service never goes down and that it never misses a malicious link. Except that the service already has gone down and missed malicious links!

I’m sure it is difficult to train a large number of users at a large institution to be sophisticated, skeptical email users. But Safe Links trains users in exactly the opposite direction, to be passive, trusting email users. And then when Pitt students and faculty use their personal email accounts (very possibly on Pitt machines!) they will be even more susceptible to scams because we are teaching them the wrong habits.

Ironically, this works directly at cross purposes to Pitt’s own phishing awareness campaign. A significant element of that campaign is that Pitt is sending out fake phishing emails (so fake fake messages), which have phishing awareness sites on the other end of their apparently malicious links. So I received this message:

Screen Shot 2016-06-16 at 9.14.07 AM
screenshot of fake phishing scam email

Hilariously, that link at “Manage Order” goes to this page:

Screen Shot 2016-06-16 at 9.19.43 AM
screenshot of phishing awareness website

Which includes this (excellent) advice:

You should always be suspicious of links in email. Before you click, you should verify that you recognize the web address that is used in the link.

But if you look at the original fake phishing scam, the link that is supposed to go to “http://orders.discontcomputers.com ” (a site I would know I did not have any recent orders with, and therefore would be suspicious of), instead goes to:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2forders.discontcomputers.com%2fgp%2fr.html%2fb0aaed%2f%3flogin_id%3db14486b8-9334-44bf-9fc4-138293e06303&data=01%7c01%7cBICKFORD%40pitt.edu%7cc13ccde9ce0e4cd6ef3008d39075f908%7c9ef9f489e0a04eeb87cc3a526112fd0d%7c1&sdata=3X6xloziBnsaxoXfn9c0r%2fID5AWUG2xOyfvszXODQs4%3d

This makes no sense.

(2) Usability

Replacing simple direct links in email with links that are almost 300 characters long (!) seriously impacts the readability of plain text messages. Most of the email lists for professional/disciplinary organizations that I subscribe to require messages be formatted in plain text, so I get a lot of these. For example:

Screen Shot 2016-06-16 at 8.21.21 AM
screenshot of email message with lots of really long links

I can’t even.

Now when someone’s email signature includes a link to their homepage, it is four lines long, and can’t be understood as links to an individual’s homepage. To learn where that person’s website is, you have to actually click the link and load the page! Paragraphs and sentences are broken up to the point of unreadability.

Unembedded URLs are good for email security, because they ensure that readers see where links are going, and we should encourage them. Instead this change further encourages email senders to embed URLs as hyperlinks in email, which makes it much harder for users to recognize and decipher the links they are clicking on, which is bad.

(3) Record-keeping

Of course this will also create serious “linkrot” problems in the future. I keep an archive of my work emails going back over a decade, and email is an important form of record-keeping (this is especially true for public institutions like the one where I work). This service relies on Microsoft servers continuously running to scan and translate clicked URLs. If Microsoft ever discontinues this service (and why wouldn’t they if it stopped being profitable? Google killed Reader, after all), all of these links will become completely unusable. The links themselves may not even contain all the information in the original URL, so the original destination may not even be able to be decipherable in the future. (They do seem to include all the original link information in some form, but I haven’t looked at enough of them to confirm that it is all in the new safelink URL and not stored online in a database, say. And even if the information is all there it is very heavily processed.) This means that we are relying on Microsoft to continue an active link analysis service in perpetuity to maintain the basic usefulness of our own email archives in the future. If Pitt ever decided, say, to switch from Exchange to Google’s Apps for Education, or even if Microsoft discontinued the Exchange service altogether, we would not lose our archives hosted on our own machines. But if this new service were discontinued we would lose access to basic information in messages in our email archives. That does not make sense to me as an approach to record-keeping either for academics or for a public institution.

(4) Privacy

On Microsoft’s webpage explaining this service, they advertise this feature:

Get rich reporting and track links in messages
Gain critical insights into who is being targeted in your organization and the category of attacks you are facing. Reporting and message trace allow you to investigate messages that have been blocked due to unknown viruses or malware, while URL trace capability allows you to track individual malicious links in the messages that have been clicked.

They include this image:

Image_RichReporting_713x325
image of list of links from Microsoft website

This appears to suggest that institutional IT administrators will receive reports with individually identifying information about every link clicked by every email user. Surely there is some tradeoff between privacy and security, but this seems, at least, like a significant movement away from the norms of privacy that university employees currently expect. My understanding is that Pitt’s IT administrators do not, for example, see the text of all my emails, or even their metadata, though that may be possible in extreme cases. But here Microsoft is suggesting that they will produce and make available reports detailing every link clicked on by individually identifiable email users. That seems like a bad thing.

I suppose there is some logic here, which is that if you ruin email as a useful tool for scholarly communication, then people will stop using email, and then you won’t have to worry about users clicking on malicious links in phishing scams.

 

Advertisements