Dnia 8.08.2024 o godz. 09:59:02 Tobias Fiebig via mailop pisze: > The issue occurs if an employee/user of a PP client forwards such > a mail, or, even worse, copies content--often not even being aware > of the urldefense URL being included, e.g., when dealing with an > HTML email. > > In that case, all of a sudden, the client sends a tracking link to > its contacts with all the related implications. Furthermore, as-- > likely--proofpoint also uses the collected data for its own purposes, > e.g., when processing URI accesses to identify larger attacks, > regardless of whether a _specific_ URI or accesses to those is > finally determined to be malicious and is, e.g., processed further, > PP becomes a data processor under the GDPR as well. > > There are additional bonus points to get if multiple orgs using > different URI protection services are involved, leading to, e.g., > a Proofpoint Urldefense URL being rewritten by Outlook Protection, > leading to a multi layer forward. I took the liberty of attaching > a public (yet older) example of such, sent to +- 1000 people. > > (Note: The Slack workspace link in the attached mail is the > double-rewrite. The inclusion of the rewrite links happened as > the user received an HTML template for the mail from someone else, > and copied it into the mail. The Slack link was received by someone > at another org using PP and then forwarded to the sender, who then > copied it into the mail template, leading to the double-rewrite > for that specific link.) > > The absence of the urldefense targets in the other links also > demonstrates that this is not a forwarding issue, but occurs > when users recompose mails; Copy-pasting things together, not > actually seeing the links being send; Which is what users simply > _do_; They are just doing their jobs.
Going slightly off-topic, this is a perfect example why HTML emails are a very bad idea. Sincerely speaking, besides marketing gimmicks (which are *to be ignored* as a serious reason), I see completely *no* reason for an email message to be HTML. Plaintext is perfectly enough, taking into account that most email clients are able to parse http(s) links included in plaintext email messages and make them clickable on their own. And with plaintext message, at least you *see* that the link you have received is some strange Urldefense-obfuscated mess. -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
