Telling users to ‘avoid clicking bad links’ still isn’t working

When an individual clicks on a ‘bad link’ in an email, one of two primary scenarios unfolds:

• The user is coaxed into entering login details on a fraudulent page, allowing attackers to capture or misuse their credentials, or falls victim to OAuth or consent phishing.
• The user inadvertently downloads a harmful file via a link or attachment, such as a document or executable.

While browser exploits can also arise from clicking incorrect links, they are less frequent and typically associated with high-end attacks. (If you have automated browser updates, only zero-day vulnerabilities – which are generally outside the threat profile for most organizations – should raise alarms).

Even though attackers excel at crafting authentic-looking phishing pages, organizations can completely mitigate the risk of credential theft by implementing strong authentication measures across their services, such as device-based passwordless authentication with a FIDO token. If your organization is not prepared for passwordless solutions, you can significantly raise the bar for attackers by establishing multi-factor authentication (MFA). Additionally, consider integrating single sign-on (SSO) for any external websites your organization utilizes, ensuring that security controls are consistently enforced.

For websites beyond your control, encouraging users to employ password managers and to utilize password auto-completion features in browsers can be beneficial. A password manager should not autofill credentials for a non-matching site (though users might still be convinced to manually input a password). It’s also advisable for employees to activate MFA on any services they engage with.

Organizations can further minimize the risk of credential misuse by restricting resource access to only organizational devices or by disabling OAuth/consent phishing on random sites at the cloud tenancy level (keeping in mind that users will need to request site permissions for OAuth integrations).

In instances where a user downloads a harmful file through an attachment or link, these files can either be directly executable or include executable components, such as Microsoft Office macros.

Attackers often employ various files to bypass security measures, potentially encrypting a ZIP file or utilizing less familiar file types, such as .iso disk images.

While it is challenging to prevent these types of attacks from succeeding, it is not impossible. Organizations can implement technical strategies that lessen user responsibility. By executing the actions outlined below, organizations can significantly lower the risk of successful network attacks. 

Let’s categorize these strategies into three phases.

Preventing Phishing Email Delivery:

• Utilize email scanning and web proxies to eliminate several threats prior to their arrival.
• Implement DMARC and SPF policies to significantly reduce spoofed emails sent to users.

Preventing Initial Code Execution:

• Establish allow-listing to ensure that executables cannot run from any directory writable by a user, substantially thwarting many attacks.
• For items not covered by allow-listing, configure registry settings to guarantee that harmful scripting or file types open in Notepad instead of executing them. For PowerShell, reduce risks by applying PowerShell constrained mode and script signing.
• Disable the mounting of .iso files on user devices.
• Ensure macro settings are strictly managed (refer to the NCSC’s macro security guidance) and that only those users who truly need them – and are trained on the associated risks – are permitted to use them.
• Enable attack surface reduction rules.
• Regularly update third-party software, such as PDF readers, or, ideally, utilize a browser to access such files.
• Stay informed about emerging threats through proactive research into new attack vectors.

Minimizing Further Damage:

• Allow-listing again serves as a powerful method to prevent additional damage after a malicious file has been executed.
• DNS filtering solutions, such as PDNS (for the UK public sector and also the private sector), can block suspicious connections, halting many preliminary attacks.
• Organizations can also implement endpoint detection and response (EDR) systems and monitoring to identify unusual activity on systems.

It is crucial to clarify that implementing the aforementioned measures and maintaining their effectiveness can potentially lead to a notable decrease in successful attacks on your users. However, training users to identify suspicious links remains important. Why is this the case?

First and foremost, there is the possibility that one of the protective measures could fail, which highlights the value of a defense-in-depth strategy.

Secondly, a relentless attacker aiming to infiltrate a specific organizational network might also target users’ personal accounts to achieve their objectives. Therefore, it is beneficial for users to recognize hazardous emails in their personal correspondence, where organizational defenses are absent. This also aids in their protection against phishing attempts designed for financial gain or other extortions.

Finally, when users can identify suspicious emails and report them effectively, it serves as a vital source of intelligence for organizations, revealing compromise attempts that might otherwise go unnoticed. This is especially true for organizations under greater threat levels.

Organizations must shift away from a culture of blame and fear concerning links, even when clicks are often unintentional. This includes avoiding phishing tests that penalize users for engaging with harmful links.

Imagine a scenario where a user feels comfortable reporting their click on a malicious link, prompting immediate disclosure. The security team acknowledges their prompt action and swiftly investigates the potential impact. This represents a more constructive approach, with the security benefit of early threat identification.

Furthermore, we should simplify the reporting process for users, such as through the widespread deployment of email add-ins.

This article encourages organizations to reframe their perspective on security. Since merely telling users to avoid clicking on dubious links is ineffective, let’s explore a different approach. What alternatives would arise if we truly encouraged users to engage with links without trepidation?

While we aren’t advocating for reckless behavior, the essential point is that we do not have to sacrifice usability for security. Harmonizing these two aspects can create an environment where security is robust, while allowing employees to perform their roles without fear of reprisal when mistakes occur.

David C
Technical Director for Platforms Research and Principal Architect