<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:887910571;
mso-list-type:hybrid;
mso-list-template-ids:523387820 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Good morning,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Many of us received this email below sometime this morning, and some may be wondering if this email is legitimate or not. Please analyze this email with malicious email strategies I mentioned in my previous emails, and see if you can identify all the “red flags” that make this email what it is. Below are the red flags that I’ve identified.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> The “From” email address appears to be from a @ohio.edu email address. To confirm whether the email address is what it appears, hover the cursor over the email address to reveal its real one. In this case, the email address is as it appears. However, this is a non-UH email address in a supposed UH email update request.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The brevity of the email is extremely alarming, and there’s hardly any information for us to verify against, including signature of UH employee who is supposed to send it. The signature is broad and mentions UH Security to hope to lower our guard, but we all know the UIT security team does not sign emails without additional information. UIT Security also usually suggests you work with local college technical support for issues, which means we will be contacting you if an issue actually occurs that needs your action. <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The link in the email to update our email accounts points to http://komornikkatowice.eu/-/uh.eduwemail/email.uh.edu.htm web address. Keep in mind the first portion of the web address is where the link will take you to, and not the rest of the web address. In this case, the link takes you to komornikkatowice.eu, which is a country code web address for European Union member states and not email.uh.edu.htm, which is what the end portion falsely suggests. This is obviously not a UH web address to update our email account.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Legitimate UH employees will never ask you to click on a link to update any accounts. If they do, email them back using a known address from the exchange server or UH directory, and ask them to confirm the message.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hope you’ve arrived at the same conclusion as I did, that this is not a legitimate UH email. The strategies to analyze other malicious emails are very similar, even though the emails are all different. For future suspicious emails, please analyze them yourself first, then forward me both the suspicious email and your analysis so I can help you formulate good strategies in recognizing malicious emails. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kiet Luong<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Director of Engineering Computing<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>College Information Security Officer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cullen College of Engineering<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>University of Houston<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Email: KietL@uh.edu<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Voice: 713.743.9974<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:9.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:9.0pt;font-family:"Tahoma","sans-serif"'> UH.edu [mailto:at463912@ohio.edu] <br><b>Sent:</b> Thursday, May 05, 2016 8:46 AM<br><b>To:</b> Me<br><b>Subject:</b> UH Infomation Update<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt'><a href="http://komornikkatowice.eu/-/uh.eduwemail/email.uh.edu.htm">Click Here To Update Your Email Account</a> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt'>UH SECURITY Department <o:p></o:p></span></p></div></div></body></html>