Introduction
Spearphishing emails with dangerous links are legitimate concerns for many organizations including ThreatSwitch and its customers. Many IT departments deploy URL rewriting software to identify and "quarantine" potentially dangerous URLs, but sometimes the rules behind these security suites are overly aggressive and break otherwise safe and important URLs such as those required for password reset flows.
ThreatSwitch Password Reset and URL Rewriting
If the links included in ThreatSwitch's password reset emails are modified in any way, it can cause the user to be stuck in a "loop" where they are unable to successfully complete the reset process.
When conducting a password reset, the URL included in the email should be in the following format:
Any deviation from the password reset format will cause a password loop. Companies using email security tools that adjust links will need to whitelist ThreatSwitch.
Outlook ATP Safelinks
If using Outlook ATP Safelinks, policies need to be updated in order for links to come through without modification. If password reset emails are being modified by Safelinks, the URL string will be preceded by: https://nam04.safelinks.protection.outlook.com/?
โ
IT Teams will need to add a whitelist policy to their ATP Safelinks for the domain: threatswitch.com. Please see the relevant 365 support article for more information.
โ
It is recommended to use a generic wildcard format around threatswitch.com to ensure that all ThreatSwitch links function.
Mimecast URL Protect
Mimecast's URL protect rewrites certain URLs which can send users into a password reset link. A Mimecast URL policy needs to be added whitelisting Threatwitch.
General Troubleshooting
If you have encountered a password reset loop and have remedied it but are still having issues, or are generally having difficulties with password resets read below.
Password reset security considerations to know:
Password reset URLs contained in ThreatSwitch's password reset emails expire after 1 hour.
Password reset urls are "one time use". If a url was used previously, even in an unsuccessful password reset attempt, a user will need to initiate another password reset flow from the password reset page.
Cookies must be enabled for the threatswitch.com domain otherwise the password confirmation process cannot proceed and will result in an error message.