What is Proofpoint and why did I get this strange email?
WSU IT security subscribes to a hosted inbound email virus and spam filtering service called Proofpoint. Proofpoint maintains all the software and hardware; all email security policies and filtering are managed by WSU.
How does Proofpoint work?
If Proofpoint detects that one of your inbound emails is suspect, it will place it in a quarantine folder in your designated account space on their server. You will receive a notice from Proofpoint that you have something in your quarantine folder. In the notice, you will see a list of all quarantined emails showing the sender’s address and subject – if any, and give you the opportunity to indicate if this “Not Spam” and or ok to “Release” to your inbox.
If you don’t recognize the email sender or the subject seems inappropriate for the sender, do not click to release the email. Sometimes emails from a known vendor may end up in your quarantine folder. This could be because they have been compromised, they have started sending an unusually high number of emails (indicating they may be compromised), or people have complained about them. If you believe this is in error and you wish to receive emails from them, you can indicate “Not Spam. ” If you aren’t sure about the designated email and want more information, click on the link above the table that says, “Manage My Account.” This will take you to your online Proofpoint space. BEFORE clicking on the link, I recommend that you hover your cursor over the link to see the underlying URL. You should see something like Example 1 below. When you get to the webpage click on the Quarantine folder icon to open the list view. If you wish to peek at the email, click on the email icon for that email in the list. It should open up the email in a safe window for you to view. If you wish to do something with a specific email in the quarantine list, click in the checkbox to select it. Then use whichever action button at the top of the screen – such as “X Delete” to get rid of it.
Example 1. Underlying link for Manage my Account in the Proofpoint quarantine notice:
https://0007b301.pphosted.com:10020/euweb/digest?ts=1507730554&cmd=editprofile&locale=enus&module=&msg_id=(V_209d1d6438fc8a3af0fb01d5062e)&recipient=info.treefruit@wsu.edu&sig=de1b864166e6c230992aacaaf5a9b583eee5f8f47823cfc149f8711b0df297a2
What else does Proofpoint do?
Another thing that Proofpoint does is provide Targeted Attack Protection (TAP). TAP provides near real-time email protection. When you receive an email with embedded links or attachments, and you click on one, the link is evaluated and redirected to the original site unless the site is known to be malicious. The main thing that you will notice is that the URL is rewritten to be SSL encrypted and obfuscated. If you hover over the link it will appear to come from Proofpoint.com with a bunch of gibberish-looking characters and numbers. Take a look at Example 2. The URL starts with https, which indicates a secure link, followed by urldefense.proofpoint.com. Then you see the obfuscated code. You’ll notice that in Example 1 above, the domain is “pphosted.com.” this is because you are actually taken to the hosted email space, whereas the example 2 link takes you to the final destination after passing through the evaluation filter.
Example 2. Underlying secure link for the WSU Announcements article, “2017 Dad of the Year nominations open”:
https://urldefense.proofpoint.com/v2/url?u=https-3A__orgsync.com_36888_forms_282346-3Futm-5Fsource-3Dannouncement-26utm-5Fmedium-3Dweb-26utm-5Fcampaign-3DDadoftheyear17&d=DwMDaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=5QhsZ7agzaMgz306-uN0oqsXGN3q5qOwzk1bG4t00FQ&m=X7JXncVGreaypfN8mRLNKoCjdOeIq5oyoGLJsHV_fCo&s=HZcqUERJEMSzfaypVgWLQbM66pGj_QN6IOnJpMwMUdk&e=
If Proofpoint is protecting my email why do you need to worry about phishing attempts?
First, Proofpoint only protects against incoming email from outside the WSU system. So, if somebody’s WSU email account is compromised and sending out malicious emails, Proofpoint won’t catch it. Second, for Proofpoint to protect us, it must recognize the threat. Attacks are coming more frequently and are more sophisticated than ever before. Proofpoint must be constantly updated on all the new threats – just like your computer’s virus checker is always needing to be updated. That’s why it is important to report all suspicious emails to abuse@wsu.edu. They contact Proofpoint, as well as the owners of the corrupted domains (and mailbox owners) so that the filters can be updated. Also, as mentioned above Proofpoint tries to determine if a link is for a malicious website. But if it is a new site, they may not have added it to their list of quarantined websites. So even though the embedded URL has the rewritten code, Proofpoint might still send you to the original website. Don’t rely on them to keep you safe in all situations. The best way to be safe is to be smart. If you don’t know the sender, aren’t expecting the email, or didn’t initiate contact, don’t click on it. Send it to abuse@wsu.edu and ask them to evaluate it.
If you have questions about how Proofpoint works, contact CougTech. 2/21/2019 Update: contact CrimsonServeiveDesk@wsu.edu