UW-IT has deployed Proofpoint, a leading email security vendor, to provide both spam filtering and email protection. As an additional effort to protect University of Washington users, UW-IT is beginning deployment a feature called Email Warning Tags. Email Warning Tags will notify you when an email has been sent following one of the parameters listed below. This notification alerts you to the various warnings contained within the tag. Email Warning Tags are only applied to email sent to UW users who receive their mail in UW Exchange (Office 365) or UW Gmail.
Personally-identifiable information – the primary target of phishing attempts – if obtained, can cause among other things; financial and reputational damage to the University and its employees. Phishing attacks often include malicious attachments or links in an email, or may ask you to reply, call, or text someone.
As a result, email with an attached tag should be approached cautiously.
Tag Example:
The tag is added to the top of a message’s body. The specific message for each tag is displayed in the message to the recipient and also provides a link for further information.
Emails tagged with a warning do not mean the email is necessarily malicious, only that recipients should take extra caution. Do not click on links or open attachments in messages with which you are unfamiliar.
Tag Types:
For each tag, the default titles and bodies for each tag are listed below, in the order that they are applied. A given message can have only a single tag, so if a message matches multiple tagging criteria the highest precedence tag will be the one applied.
| Rule ID | Title | Body |
| Impersonating Sender | Be Careful With This Message | The sender may be an impostor. |
| Mixed Script Domain | Be Careful With This Message | This message may contain links to a fake website. |
| DMARC Authentication Failure | Be Careful With This Message | The sender’s identity could not be verified and someone may be impersonating the sender. |
| Newly Registered Domain | Be Careful With This Message | The sender’s email domain has been active for a short period of time and could be unsafe. |
| Unknown Sender | This Message Is From an Untrusted Sender | You have not previously corresponded with this sender. |
| Unsafe Message | This Message May Be Unsafe | Please verify with the sender offline and avoid replying with sensitive information, clicking links, or downloading attachments. |
FAQ:
Why is this change being made?
To help prevent and reduce phishing attempts against University of Washington users and assets, by providing some additional information and context around specific messages.
Why is a specific message or sender being tagged?
Just because a message includes a warning tag does not mean that it is bad, just that it met the above outlined criteria to receive the warning tag. However, if you believe that there is an error please contact help@uw.edu.
How long will an external email address be labeled untrusted/unknown before being switched to “known”?
From our vendor Proofpoint:
For a sender to become “known” Proofpoint must see no less than three days of email from an external entity that has not been seen by any Proofpoint detection system. For the unknown sender tag not to show, the following needs to be met:
- The third party has interacted enough with the recipient (i.e., on at least three days) OR
- The third party has at least two days of benign outbound messages from the customer to the third party and two days of benign inbound messages
If these conditions are unmet, the third party will not meet the Known Third Party classification, and the sender is still considered untrusted and will be labeled as so. Additionally, if an external user doesn’t communicate with your UW email address for an unspecified time period it will be labeled as untrusted until the above conditions are met again.
Questions:
If you have questions or concerns about this process please email help@uw.edu with “Email Warning Tags” in the subject line.