Ohio University

Spring break email and login security updates part of larger plan

On March 9, OIT will enable a security feature in Catmail called Safe Links and will release a new version of the OHIO login page that requires users to enter their full @ohio.edu email address instead of just their OHIO ID to login. Normally, we would provide several weeks’ notice for a change like this. In this case, we have chosen to accelerate the timeline to provide additional protection against a recent uptick in phishing scam attacks. Spring break represents our best opportunity to implement these measures quickly while minimizing impact on the university community.

Both changes are part of a broader campaign to enhance online communication security at Ohio University. 

Protecting OHIO inboxes and logins

OIT recognizes the importance of email as a communication tool at Ohio University - and in higher education as a whole. Unfortunately, cyber criminals recognize this, too. Phishing scams designed to fool victims into giving their login credentials away continue grow in sophistication, frequency and scope. In the past, phishing scams mostly targeted university employees. More recently, scammers have begun going after students, too.

To protect students, faculty and staff against such attacks, OIT began taking a series of proactive security measures in the fall, with more planned for the next several months. Some of those measures will reduce the number of scams that reach individuals' inboxes. Others will help protect individuals who fall for a scam by making it more difficult for an attacker to use stolen credentials.

Protections already in place

  • Safe Attachments - AI-based system that scans incoming email attachments for malware that would not be identified by normal scanning methods and deletes it.
  • Account lifecycle management - Unclaimed and unused email accounts are popular targets for hackers who take advantage of the fact that no one is 'watching' those accounts' inboxes. OIT has instituted a policy of deactivating abandoned accounts at regular intervals.
  • Data Loss Prevention - AI-based system that flags messages sent to non-OHIO recipients that might contain sensitive data.

Planned Protections

  • Safe Links - AI-based system that scans email for malicious links. If a site is suspicious, Safe Links will warn the recipient when they try to open the link and will prevent them from continuing. Sites also can be blocked manually. This feature can be especially useful during an active phishing attack.
  • Multi-Factor Authentication for All - Adds telephone or mobile app-based verification to OHIO logins. A successful login requires both a correct password and access to a specific telephone or mobile device, making it difficult for a scammer to use stolen credentials. Employees already are required to use the Duo app when accessing core systems. Later this year, we will switch from Duo to a different app and expand coverage to all OHIO online systems for employees and students. This will be a brand-new service for students. The spring break login page change is a prerequisite to making this happen.
  • Automated Email Forwarding - To reduce the risk of protected data being stored on non-university systems, we will phase out the ability for faculty and staff to automatically forward their incoming messages to an external email address.
  • Modern Authentication – Catmail will stop allowing older, less secure email and calendar apps to login. The latest desktop and mobile versions of Outlook will continue to work, as will the built-in mail and calendar apps in the latest versions of iOS and Mac OS.

More about the March 9 updates

Login page: New look and feel; email address as username

  • The new login page will have an updated design and will require you to use your full @ohio.edu email address instead of just your OHIO ID to login.
  • In the days leading up to the change, reminders will appear on the current login page. We will not send you any email reminders. If you receive a message asking you to login or verify your account or password, that message is a scam and should be reported to security@ohio.edu
  • If you are using the web version of an OHIO online service when the change happens on March 9, you may have to log back into that service.  
  • For up to 24 hours after the change you may see the old login page occasionally:
    Screen shot: Old and new OHIO login pages side by side.

Safe Links: Active protection against scams

  • In some email clients, if you mouse over a link in an HTML message, you may see the Safe Links URL instead of the actual destination. For plain text messages, the Safe Links URL will be included in line with the message text.
  • Safe Links URLs will start with https://na01.safelinks.protection.outlook.com/?url=
  • Some university-related sites and popular news media organizations’ links may be exempted from this service.

If you have any questions, please contact the IT Service Desk.