CITES Security | University of Illinois

Targeted Attack Protection Evaluation

CITES is evaluating new tools to help protect email users from malicious URLs in messages.

Introduction

In an effort to reduce the impact that phishing attacks can have on campus, CITES is evaluating the Targeted Attack Protection (TAP) tool from Proofpoint. During the evaluation period, CITES will enable the TAP system for a group of volunteers. 
 
If you would like to be part of this volunteer group, please sign up at: http://go.illinois.edu/TAPtesting
 
The rest of this web page is focused on describing how TAP works and providing volunteers with important information about the TAP evaluation.
 

How does TAP work?

TAP automatically scans incoming email for hyperlinks and rewrites them with special URLs. These new URLs allow Proofpoint to check the original URL before actually sending the reader to that web page. 
 
If Proofpoint checks the intended web page and finds out that it is being used for malicious purposes such as phishing scams or delivering malware, the email reader will not be taken to the malicious web page. Instead they will receive a message saying that the web page was malicious and blocked.
 

TAP may be hard to spot

In most cases, it will be difficult to even notice TAP in action. After clicking on a rewritten link, web pages should load with little or no noticeable delay -- unless, of course, the link was to a malicious web page in which case it will be blocked. 
 
Also, TAP will only scan and rewrite emails from outside the University of Illinois. So emails sent from @illinois.edu accounts will not have their URLs rewritten by TAP.
 

What do rewritten hyperlinks look like?

The easiest way to see that TAP is working is to hover over a link in an email to see how TAP has rewritten the URL. Place your cursor over a link, without clicking on the link, to hover.
 
When you hover over a link that has been rewritten by TAP, you will see that https://urldefense.proofpoint.com/v1/url?u= has been added to the beginning of the link and a string of letters and numbers have been added after the link.
 
A screenshot of the TAP service rewriting a URL in an email
 
Please remember that TAP does not rewrite URLs for emails sent between @illinois.edu accounts. You will only be able to hover over links and see rewritten URLs if the email was sent from outside the University of Illinois.
 

What does a blocked web page look like?

If CITES does adopt the TAP service, the message that appears when a web page is blocked will be customized for the University of Illinois.
 
During the evaluation period, if you click on a link that TAP determines is headed to a malicious web page, this is the web page and message that you will receive:
 
A screenshot of a blocked web site message from TAP
 

What should I do if I click on a link and the page is blocked?

Once a page is blocked, there is nothing more that you need to do. TAP will remember that it is a malicious page and block the page for all other TAP users.
 
In addition, it is not necessary to report to CITES or the web site's administrator that the page has been blocked. There are literally thousands of web pages compromised every day, so CITES will not be able to respond to every page that TAP blocks.
 

The CITES evaluation

The CITES evaluation of TAP will start on Tuesday, May 14 and will run for approximately two weeks.
 
CITES is evaluating the service first before turning it on for the entire campus to make sure that everything works properly. If the TAP service encounters problems, people that are part of the evaluation team may experience problems with their email service.
 
If you are part of the evaluation team and you do encounter problems, would like to leave the evaluation group, or if you have feedback or questions about TAP, please send an email to cites-csc-mgr@lists.illinois.edu.
 
At the end of the evaluation period, CITES will send a very short survey to all evaluation volunteers for feedback.