To protect Duke account holders and the university’s network, OIT employs an email security product called Targeted Attack Protection (TAP) from the security company Proofpoint.
Cybercriminals commonly send malicious attachments and hyperlinks via email in order to infect computers with malware or direct users to websites designed to trick them into revealing their account credentials. TAP protects users by blocking links to known malicious websites and removing email attachments containing malware.
TAP works behind the scenes, which means you do not need to do anything to activate or take advantage of the system.
How TAP Works
TAP scans incoming email for known malicious hyperlinks and for attachments containing malware. TAP rewrites scanned URLs as Proofpoint URLs.
In most cases, you will not notice anything: the change will not affect the displayed content of the message itself, with the exception of plain-text emails. However, if you hover your mouse over a hyperlink, the embedded URL displayed will show the destination URL rewritten as a Proofpoint URL. The URL will function normally from the user’s perspective.
Proofpoint URLs will begin with https://urldefense.proofpoint.com. If you were to receive an email sent from someone outside of Duke that included a link to the EDUCAUSE homepage, you would notice the following:
- Display URL (what you will see in the email): ie. www.educause.edu
- Embedded URL (what you will see if you hover your mouse over the link in the email): ie. https://urldefense.proofpoint.com/v2/url?=http-3A__www.educause.edu&[….]
These rewritten URLs allow Proofpoint to check the hyperlink’s destination against its continuously updated database of malicious sites. If the destination site is considered safe, the hyperlink will function normally and will take you to the intended destination website.
If the destination site is compromised, the site will be blocked. If you click a link to a blocked site, you will be redirected a page on the Proofpoint website, which will explain why the site has been blocked.
For more information about how TAP works, see www.proofpoint.com/us/solutions/products/targeted-attack-protection.
Emails sent and received in plain text do not include HTML markup, such as embedded URLs. When TAP detects a hyperlink in a plain-text email, it will rewrite the URL in plain text. In this case, you will see the rewritten URL directly in the body of the email.
Most modern email applications send and receive HTML-enhanced or rich-text emails, and function as described in the How TAP Works section above.
TAP does not rewrite URLs in email attachments. However, it scans the attachments for hyperlinks and, if it detects a URL to a known malicious site, will block the attachment. If an incoming message contains a bad attachment, the message will not be delivered.
Once TAP has rewritten a URL, the new URL will persist if you reply to or forward the message, even if you include recipients not covered by the TAP program. The rewritten URLs will remain functional and work for recipients as described above. If you are concerned that your recipients may have questions, you might consider including a note in your signature file along the lines of:
“Duke email is protected by Proofpoint’s Targeted Attack Protection. Hyperlinks in this email may begin with ‘urldefense.proofpoint.com’ and include a unique serial number.”
If you believe a URL has been blocked unnecessarily (false positive) or believe a fraudulent site has not been blocked (false negative), please contact the OIT Service Desk.
Duke staff, faculty and students can report suspicious emails with the “Report Phish to Duke” button which is also part of the Proofpoint service.