I'm guessing his research is going to be a little skewed now that we've all been clicking on the link :).

On Fri, Oct 28, 2016 at 3:50 PM, Esther V. V. Reed <[log in to unmask]> wrote:
MSU's Office of Regulatory Affairs confirmed to me this afternoon that the email "Re-validate your mailbox" (the one with the benign link) is part of Dr. Richard Wash's project and did have IRB approval (even though that was not stated on the target webpage).  ORA waived consent of users because the researcher wanted recipients to believe it was real.

If you or your users wish to provide feedback or explain any concerns / frustations, you may email ORA at [log in to unmask].

~ Esther

Esther V. V. Reed
IT Systems Administrator
MSU Dept of Physics and Astronomy
[log in to unmask]

-----Original Message-----
From: David McFarlane [mailto:[log in to unmask]]
Sent: Thursday, October 27, 2016 5:22 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] Email Phishing

Hmm, OK, so if I get a legitimate looking e-mail from an MSU address that says someone with an IP address in Cairo tried to log in to my account (that is what my message said), and it has a link that goes to msu-itservices.com (instead of msu.edu), am I supposed to follow the link or not?  Or just phone the Help Desk, like I did?  What exactly is MSU ITS trying to train us to do?

-- dkm


On 2016-10-27 5:01 PM, Kim Geiger wrote:
> It's a redirect to MSU:
>
> http://www.drlinkcheck.com/results/ab7fb5
>
>
>
>
>>>> "Plemmons, Steve" <[log in to unmask]> 10/27/2016 3:44 PM >>>
> The one that someone in my department alerted me to sounds to be almost exactly like yours, but the link was not to an ITS address.  It was a link that included the domain msu-itservices.com.  Are you suggesting that this IS an MSU ITS domain or does it forward to itservices.msu.edu?  I'm not interested in clicking on it to find out.
>
> Thanks,
>
> Steve Plemmons
> Director of IT
> Department of Mathematics
> Michigan State University
> [log in to unmask]
> 517-353-4673
>
> -----Original Message-----
> From: Kim Geiger [mailto:[log in to unmask]]
> Sent: Thursday, October 27, 2016 3:28 PM
> To: [log in to unmask]
> Subject: Re: [MSUNAG] Email Phishing
>
> Well, it does seem like someone at MSU decided to see how many suckers they could catch on campus.
> I pay so little attention to such messages that I barely noticed that I received one that said, "Someone attempted to sign into your email account ([log in to unmask]) with random incorrect passwords from (IP: 207.73.216.41 in Cairo, Egypt)"  and that I should click on a link.  The rest of the message seemed like it was trying to pretend to use weird spammy syntax, but didn't really succeed in the fakery.
> The link was to an ITS page.  Email headers show it to be from an ITS address and a campus ip number Am I the only one who thinks this is just  ....uncool?  For one thing, it caused some user consternation, and at least one person was unproductive while we scanned her machine for potential nasties because she reported she'd clicked on a phishing link ("because this one looked so real").
> Second, it makes everyone who received it experimental subjects without our permission.  A no no no.
> Third, it's ITS again doing something without telling us about it and making life harder for reasons that, in this instance, are hard to fathom -- So, they found out that some people will click on phishing links?  My, what a unique insight.
>
>
> Kim Geiger
> WKAR Radio & Television, WKAR.org
> East Lansing, Michigan
> 517-884-4766
>
>
>
>>>> Kim Geiger <[log in to unmask]> 10/26/2016 2:09 PM >>>
> I also had a user fall for this one.  How do you know the link is "benign"??
>
> Kim Geiger
> WKAR Radio & Television, WKAR.org
> East Lansing, Michigan
> 517-884-4766
>
>
>
>>>> Gary Schrock <[log in to unmask]> 10/26/2016 11:10 AM >>>
> I had someone forward me one yesterday that it turns out when I go
> back and check the link out it indeed takes one to a page along those
> lines.  I thought it was a little interesting that by the time I had
> responded to my user about it that it wasn't being blocked by msu yet,
> since they normally start blocking things pretty quick.
>
> Not sure I'm a big fan of this myself.  Not the least of which at the
> minimum, it ultimately means more work for me, since I invariably will
> get people forwarding the various phishing emails to me asking if
> they're legit.  And of course, if that link was personalized to the
> recipient (which is quite possible considering the long string of
> seemingly random characters in it), they'll now think that that person
> followed it, when it was actually me when investigating.
>
> On Wed, Oct 26, 2016 at 10:59 AM, James Sprague <[log in to unmask]> wrote:
>
>> Just a thought here, but has anyone else seen an increase in email
>> phishing from MSU related domains? My friend had a user click on it
>> the other day and said when you went the link it showed an MSU page
>> saying something along the lines of you've been phished and was completely benign.
>> Additionally, he looked at the root of site and it went to some
>> Symantec login page. I'm wondering if campus is using
>> https://www.symantec.com/
>> services/cyber-security-services/cyber-skills-
>> development/phishing-readiness and just hasn't told the rest of the
>> IT community.