Email Security FAQ's

mark bering's picture
Return to service page
  1. Why is it needed?
  2. How does it work?
  3. What happens when I click on a URL (link) in an email message?
  4. What about false positives?
  5. What if the FireEye EX hardware fails?

Why is it needed?

Email is one of our most vulnerable vectors for cyber attacks given the high volume of data coming in from outside of the organization via email. The majority of threats arrive by email as file attachments, malicious links and credential phishing.

Email is a primary mechanism used to initiate an advanced attack or deliver ransomware because it can be highly targeted and customized to increase the odds of exploitation. With all availability and accessibility of information online, cybercriminals have leveraged social engineering tactics in attempts to lure users into clicking a URL or opening an attachment.

Anti-SPAM filters and antivirus software can block traditional mass email phishing attacks with known malicious attachments, links and content; however, they cannot detect sophisticated and targeted spear-phishing attacks designed to bypass these legacy solutions.

How does it work?

Our system protects against spear-phishing and credential-phishing email attacks by inspecting URLs and email attachments in all email coming in from the Internet. (i.e. email sent within UCSF (Exchange Online) is not inspected.)

  • Uses signature-less Multi-Vector Virtual Execution (MVX) engine to analyze every email attachment and conduct URL analysis.
  • Blocks spear-phishing emails used in advanced targeted attacks including zero-day attacks.
  • Sandboxes unknown executable attachments where they can be safely evaluated across multiple operating systems, applications and web browsers (before delivering or blocking).
  • Delivers a new level of threat prevention against blended attacks by working with the network security appliance to block emails with malicious URLs and trace web-based attacks back to the original spear-phishing email.
  • Taps into a global network for continuous updates on new variants of malware.

If a malicious URL or attachment is detected, the bad URL and/or attachment will be stripped from the message, and users receive a message informing them that the malicious content was identified and removed.

What happens when I click on a URL (link) in an email message?

Our email security appliance includes an advanced URL defense feature allowing UCSF to identify suspicious URLs that are embedded in an email message. This feature prevents access to these URLs so that your system will not be infected by malware.

URLs are rewritten only if they are detected as new or in the process of being analyzed by the Advanced URL Detection Engine.

When the appliance identifies a suspicious URL within an email message body, it:

  • Redirects the URL to the dynamic threat intelligence cloud for a complete analysis
  • Simultaneously rewrites the suspicious URL within the message body
    • If the URL is detected as malicious, you are redirected to a page indicating that the URL is blocked and that the site contains malicious content.
      FireEye EX malicious content web page image
    • If the URL is detected as suspicious, you are redirected to a page informing you that the site might contain malicious content.
      FireEye suspicious content web page image
    • If the URL is detected as non-malicious, you can access the original URL in the email message.

Important!: When you click on affected links you will leave your UCSF mailbox and be redirected to the email security web portal; this portal is not part of the UCSF environment. This is NOT an indication of an account being compromised.

If you have questions about the actions taken on the link embedded in your email message, please contact the UCSF IT Service Desk

What about false positives?

Please contact the UCSF IT Service Desk if you feel that a URL or attachment was incorrectly flagged as malicious.

Is this 100% effective in blocking spear-phishing attempts?

Although our service reports a very high success rate in identifying malicious content and a very low false positive rate, there is the possibility of a retroactive alert in which UCSF IT is notified after the fact that email with malicious content was not blocked. This could occur as part of a zero-day event in which the identification data was not yet known. In this circumstance, UCSF IT will respond to these retroactive alerts through our security incident response process to remediate the situation.

What if the hardware fails?

From an availability perspective, UCSF has two appliances, both of which were sized to handle the volume of inbound email from the Internet independently; therefore, if one were to fail, service would not be disrupted. If we were to experience a catastrophic event in which both devices failed, email would queue on the the system; therefore, email would not be lost. If it was determined that this component of our email service could not be restored quickly, UCSF IT could temporarily reroute email to bypass this component to restore email delivery .