What is Email Security?
The University is in progress of implementing enhanced email security tools. These provide greater protection against email-borne threats and malware for colleagues across the collegiate-University, and minimise the likelihood of related information security incidents.
The first of these tools is an email gateway to filter all inbound messages sent externally with the ability to stop messages prior delivery to your inbox. The second tool is a cloud security tool that integrates with Nexus365 and allows for finer grained delivery filtering as email arrives. This tool filters messages sent from internal addresses, as well offering extra checking of externally received messages. The cloud security tool continuously scans all mailboxes for malicious content – including post delivery – and removes messages according to the University's email policy.
This pages provides an overview of the email security policy and explains how to reach out to the email security workstream team for support.
Note that the introduction of these tools is an infrastructure change that does not require you to take any action.
Email Security Policy Overview
The email security policy comprises the following active checks:
- Sender Fraud Protection:
The email gateway uses several techniques to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organisations. This includes sender address verification (policy details), IP reputation checks (policy details), whitelisted senders (policy details), Sender Policy Framework (SPF) (policy details), DomainKeys Identified Mail (DKIM) (policy details), Domain-based Message Authentication, Reporting and Conformance (DMARC) (policy details).
- Malware or Malicious Code Detection:
The email security solution takes actions on messages that contain malware, worms, or other malicious code. Depending on the type of the malware, the solution cleans messages and attachments that can be safely removed from the contents of the infected file, resulting in an uninfected copy of the original message or attachment. The message is either stamped by the email gateway with a note it being cleaned or the attached is replaced by cloud security with a text file. Messages that cannot be cleaned are not delivered or removed from mailboxes and the original recipients receive a notification. (policy details).
- Phishing Detection:
The email security solution attempts to identify phishing messages and stops delivery or removes such messages from mailboxes. The original recipients receive a notification (policy details).
- Web Reputation:
The web reputation technology assigns websites a "reputation" based on an assessment of the trustworthiness of an URL, derived from an analysis of the domain. The email security solution stops delivery or removes messages containing high risk disreputable URLs from mailboxes. The original recipients receive a notification (policy details).
- Social Engineering Attack Protection:
Social Engineering Attack Protection detects suspicious behaviour related to social engineering attacks in email messages. The email security solution stops delivery or removes messages with a high confidence in suspicious behaviour from mailboxes. The original recipients receive a notification (policy details).
Furthermore, the email security tool provides additional passive checks:
- Spam Detection:
The email gateway filter introduces additional email headers reflecting the email security solution's confidence in the message being spam. This does not affect the Nexus365 spam filter or OxMail content filtering service (policy details).
- Business Email Compromise (BEC):
A BEC scam is a form of phishing attack where a fraudster impersonates a high profile executive, for example, the CEO or CFO, and attempts to trick an employee, a customer, or a vendor into transferring funds or sensitive information to the fraudster. The email gateway filter marks messages with suspect business email compromise using an additional email header and the cloud security delivery filter moves messages to the Junk folder (policy details).
Greymail refers to solicited bulk email messages that are not spam. The email gateway filter detects and marks marketing messages and newsletters, social network notifications, and forum notifications as greymail messages using an additional email header (policy details).
Support for University Members
Please first take a look at our Frequently Asked Questions page.
The introduction of additional email security tools is a transparent change only resulting in less malicious content being delivered to mailboxes. Please continue to report any issues related to email to the Service Desk and if you have specific concerns related to the email security solution, please explicitly state this being related to the email security product including a description of the problem. The Service Desk will escalate this to the responsible team. In case you believe a message has been withheld by the email security solution (see phishing, web reputation, and social engineering attack prevention above), please provide us the following information: sender address, date and time the message was sent, and the subject line. Only given this information we will be able to check the message logs.
Support for IT Support Staff
Please see the following page for more information on the email security system for registered ITSS.
If you have any issues with emails being delayed, stopped, or an expected email has not been delivered, please contact firstname.lastname@example.org or the team's Chorus extension 82222 for support rather than contacting the Service Desk via https://help.it.ox.ac.uk/get-support.
We will need to know the following information to investigate the logs in HES/EMS: