Email Security

In addition to the other IT upgrades in progress, we have been focusing on email security.  We have made a few changes in the last few days, and are planning a few more to come.

Quarantine Mail

Some of you may have notice an email in your inbox this morning from quarantine@messaging.microsoft.com.  The email contains a list of emails that were blocked from your inbox, and gives you the opportunity to download any emails you wish to receive.

Until very recently, we did not block any email that was addressed to you.  This email is a result of recent changes.  We implemented this feature to reduce the amount of spam and other unwanted email that arrives in your inbox each day.  The quarantine email is a daily summary of the email that we are blocking.  You only receive one email each day rather than receiving perhaps dozens of spam emails over the course of the day.

This will not block all spam, but hopefully reduces the amount that you receive.  Note that some mail is delivered to your mailbox and is diverted to your junk mail folder.  You may want to check that folder from time to time as well.

Encrypted Mail

Another feature recently added is the ability to send secure encrypted messages.  All internal mail is already encrypted.  But when you send to an outside party, email must necessarily be unencrypted in order for the recipient to be able to access it.

The firm now offers an option to send emails and attachments in a more secure way.  If you type  "securemail" or "#securemail" into the subject or text of an email, the recipient will receive a notices that says:

"You've received an encrypted message from [sender] To view your message Save and open the attachment (message.html), and follow the instructions. Sign in using the following email address [recipent's address]."

The email contains an attachment called "message.html" which the recipient must download and open.  It contains a message:

"Encrypted message
From [sender]
To [recipient]
To view the message, sign in with a Microsoft account, your work or school account, or use a one-time passcode."

If the recipient is already a Microsoft user, he/she can log in and access the text of your email and any attachments.  If not, the recipient can request a temporary pass code which is sent as a second email from Microsoft.  The recipient can use that code to access the content of your email.

If this sounds like a number of extra steps for the recipient, it is.  You may also get calls from recipients saying that this email looks suspicious to them.  Many hackers send similar emails to get users to download suspicious html files and open them on their computers.

Despite these concerns, you should use the secure mail option for any emails that contain private information.  This can include personally identifiable information (PII) such as birth dates or Social Security Numbers.  It would also include any medical records protected under HIPAA.

Box Links

If you want to get confidential information to someone outside the office, and do not want to go through the securemail option, there is another option available to you, at least for the offices that have already converted to Box.  Instead of attaching a file containing private information to an email, you can upload the document to Box.  Then, send an email to the recipient with a link to the document on Box.  The recipient can click on that link and download the information over an encrypted connection.

Multi-factor Authentication

Another feature that is coming soon is multi-factor authentication (MFA) also sometimes called Two-factor authentication (2FA).  We are implementing this because of the ever increasing number of hacker attacks on our email accounts.   With this implemented, a hacker cannot access your email, even if he/she knows your password.  Once you enter your email and password, you will be asked to enter a separate code, that is texted to your smart phone.

Once you have authenticated your computer or other device, you will not need to go through the process again, at least for a period of time, after which we may reauthenticate your device.

Again, it is an extra step, but one that is needed to provide the firm with better security.  We have not implemented MFA yet.  We are still working out a few details.  I wanted to let everyone know that it is coming soon.

Handling Suspicous Mail

In our ongoing efforts to protect our network and our client data, we have created a special email where you can send any suspicious emails  that you receive.  If you get anything that looks suspicious, please forward it to spam@margolisedelstein.com.  Do not open any attachments or reply to the sender.  Just forward the email for our evaluation and testing.  It is important that you do not attempt to act on the message yourself.  Hacking attempts via email are becoming more sophisticated every day.  If you have the slightest doubt, suspicion, question or hunch about an email, please forward it to the spam@margolisedelstein.com address for evaluation.