University disclaimers on external, first contact, suspect, or malicious email
- UT Austin faculty and staff are increasingly targeted by clever phishing attacks
- Many modern phishing techniques rely on either mail clients not displaying full sender information, or users ignoring this information
- Providing additional information to recipients can help to mitigate these attacks
- If you see a message from someone you think is a member of the university, but the message is tagged as external, then this should be a hint that something could be wrong
- The external disclaimer is applied to all messages from non-University senders, unless the entire external organization (not an individual sender) has been explicitly whitelisted
- UTmail personal accounts (current students, alumni, retirees) won't receive these disclaimers
- A "first contact" safety tip will be displayed in Outlook clients to notify recipients the first time they get a message from the sender or if they don't often get messages from the sender
|First Contact Safety Tip (new)|
|Why Is This Changing?|
|Replacing Existing Notices|
|Plain Text Email Clients|
|Frequently Asked Questions|
First Contact Safety Tip (new)
Microsoft recently introduced a feature called "first contact safety tips." These safety tips appear in outlook web, desktop, and mobile clients and notify recipients the first time they get a message from the sender or if they don't often get messages from the sender. This capability adds an extra layer of security protection against impersonation attacks.
Starting 5/3/2019, Office 365 Exchange & UTmail users will begin to see disclaimers inserted into certain received or, in extremely rare cases, sent messages. These disclaimers are meant to make the recipient aware of message attributes that could indicate that the sender is misrepresenting who they are, or that the email contains possibly unwanted or malicious content.
The most frequent message disclaimer will warn when a message is sent from a source external to The University of Texas.
Occasionally, a red disclaimer will appear indicating that the external sender shares the name of someone internally. If the sender of one of these messages claims to be someone representing the University of Texas, then this disclaimer is a good indication that the sender could be fraudulent.
The purpose of this disclaimer is to make the recipient aware that the message originated from outside of our organization. Increasingly, the university is targeted by phishing attacks that leverages some form of email spoofing. Email spoofing involves an external email address impersonating a staff or faculty member in order to mislead, manipulate, and scam an unsuspecting victim. A more obvious version of a spoofed, or impersonated, message can be seen below.
The context of this message, combined with the new external message disclaimer, should indicate to the recipient that the sender is not really who they say they are. In this case, the message can be deleted and the sender can be blocked in your local outlook client. Don't hesitate to report particularly egregious or offensive phishing or spoofing emails to the ITS Email Team by forwarding the message as an attachment to firstname.lastname@example.org.
More information about phishing and spoofing can be found at the Information Security Office Phishing Outreach page.
Replacing existing notices with body disclaimers:
Existing [UTEXAS: SUSPECTED SPAM] and [UTEXAS: POSSIBLY MALICIOUS CONTENT] subject line warnings will be replaced with the new body disclaimers:
More information on why those disclaimers may appear on an email can be found in KB0011402 and KB0011404.
All email disclaimers are intended to encourage you to exercise caution and are not authoritative on whether the sending email is safe or malicious.
If your email client only displays plain text, an alternate text-only version of the above disclaimers will be displayed:
Messages sent from email services that are not on our list of approved senders are considered "external."
- Sender must NOT be:
- An O365 account
- A UTmail business account
- Any of our internal systems
- A trusted service provider (including but not limited to):
- Email marketing companies we've identified as having UT customers, but only when sending on behalf of those customers
- Recipient must NOT include a mailing list hosted on UT Lists
- Message must NOT have an S/MIME signature that the disclaimer would break
Internal email services includes messages sent from an O365 account, UTmail business account, email sent through our relay, and various approved bulk email services used for university communications. This list is currently in flux as users report additional trusted service providers that should be considered internal.
We are not able to turn off this security feature for individual accounts. Our goal is to protect campus from phishing and spoofing attacks, these efforts require the participation of our entire community as no one is immune from these attacks.
We are not exempting external institutions from the disclaimer at this time. The external disclaimer is meant to notify you of this scenario.
Thank you for bringing this issue to our attention. We have moved the disclaimer to the bottom of messages to minimize disruption to workflow.
Not necessarily. Some external senders and bulk email services used for university communications have been added to our approved senders list, allowing them not to be marked as external. In addition, just because a message does not have the external disclaimer does not necessarily mean that the sender should be indiscriminately trusted.
You are able to delete the disclaimer when composing a response to an email.
Only approved senders have been marked as internal. If you are sending official university communication, please contact the UT Service Desk with the following information:
- Sender email address being used to send on behalf of UT
- Vendor-supplied information regarding anti-spam technologies
These requests may require a security exception from the Information Security Office.
We are considering the technical implementation to exempt alumni from these disclaimers.
We have made the distinction between personal and business accounts when determining internal and external senders because personal business accounts are more often compromised. They are more likely to be used to send spam or phishing email due to no additional second factor authentication security requirements. This means that faculty receiving email from students or alumni using UTmail will see the external disclaimer. This will be fully implemented shortly.