Product Review: SafeSend

by [Published on 16 March 2017 / Last Updated on 16 March 2017]

In this product review, we will be evaluating SafeSend (v4.1.29), a tool that claims to help avoid these situations and prevent the accidental emailing of confidential data outside a company’s domain, by detecting external recipients and attachments in outgoing emails or meeting invites.

Product Homepage: click here

Free Trial: click here

 Image

Introduction

It has happened to most of us at least once. Either because we are rushing or simply not paying enough attention, we end up sending an email to the wrong person. In many cases, this happens because of Outlook’s AutoComplete feature (also known as nickname cache): we start typing a recipient’s name in the To field, Outlook displays all the recipients we have previously emailed that match the name or letters we typed, and we press enter without paying much attention, causing Outlook to use the wrong, but sometimes very similar, recipient.

Rare are the times this is not an issue. Most of the times it is embarrassing, but for some organizations it can be disastrous. I personally know of several cases where private information regarding a company or a business deal was mistakenly sent to the wrong client. All it takes is a quick search online and dozens and dozens of high profile cases come up where private and confidential data was sent to the wrong recipient, all due to human error.

In this product review, we will be evaluating SafeSend (v4.1.29), a tool that claims to help avoid these situations and prevent the accidental emailing of confidential data outside a company’s domain, by detecting external recipients and attachments in outgoing emails or meeting invites. Using a pop-up message, it requires the user to confirm the external recipient(s) and file(s) before the email can be sent, thereby preventing accidental data leakage, improving security awareness and preventing attacks like spear phishing.

SafeSend is developed by a privately held software company named SafeSend AS based in Olso, Norway. Its main target are enterprises with over 1,000 users that work with sensitive data and, according to SafeSend, it is currently used by hundreds of thousands of users with some well-known and global organizations as their clients.


Requirements

SafeSend is an add-in for Microsoft Outlook. Being purely a client-side software means that it is installed on each client PC and that no server is required. Its settings are managed centrally using Group Policy that pushes out new configuration to each client PC.

SafeSend works with both 32 and 64-bit versions of Outlook 2007, 2010, 2013 and 2016. According to SafeSend’s documentation, Office 365 ProPlus is also supported as long as click-to-run is not used as some add-ins do not work on Outlook click-to-run installations. However, during my tests all features of SafeSend seem to have worked just fine with a click-to-run installation of Office 365 ProPlus (Outlook 2016).

As to the Operating System, Windows 2000, XP, Vista, 7, 8, 8.1 and 10 are all supported.

The last requirement to keep in mind is Microsoft .NET Framework 4.0 or above. Without it, the installation will fail as SafeSend chose not to automatically install or upgrade .NET in order to not change the system configuration without administrators being aware.


Installation


SafeSend is supplied as a ZIP file that includes one MSI file and a set of ADMX/ADML files used to manage settings centrally via Group Policy. The MSI file is generated based on the customer’s preferred settings so, initially, no extra configuration should be required. The same MSI file works for both 32 and 64-bit versions of Outlook. Configuring SafeSend is covered in the next section.

Since an MSI is used to install SafeSend, we can manual install it on user’s PCs, or we can deploy it via Group Policy, System Center Configuration Manager (SCCM), MSIexec or any other packaging or installation tool.

Please be aware that the SafeSend MSI file is a per-machine installation file that requires administrative rights. Being a per-machine installation means that all users who log into the same machine and start Outlook will be using SafeSend.

For this review, let’s manually install SafeSend on a test virtual machine using an Office 365 account. To do this, we run the MSI provided by SafeSend:

 Image

Once we accept the license agreement and click Install, the installation will begin. There are no options available to configure during the installation:

 Image

Simple as that!


Using and Configuring SafeSend

Once the installation is complete, we can start Outlook and we should be ready to go. By running a quick and simple test, we can see that SafeSend is indeed doing its job:

 Image

With SafeSend, we are forced to acknowledge/confirm that the email is definitely intended to nuno@gmail.com, as this address is considered an external and unsafe address by SafeSend. Once we confirm this is our intended recipient by selecting the check-box next to the external email address, we are allowed to press Send.

In case an email is sent to multiple recipients, SafeSend gives us the option to easily acknowledge all at the same time by using the Select all check-box:

 Image

The Select all option can be disabled completely, or configured so that users are forced to acknowledge every recipient individually for emails with less than X amount of recipients (after all, we wouldn’t want them to have to manually acknowledge 50 recipients, for example):

 Image


So how do we configure this and other SafeSend options? Let's take a look at that now.

The MSI file I was given came pre-configured with a single safe/internal domain of companydomain.com and the default SafeSend logo. In a real scenario, this would be pre-configured with a customer’s internal domain(s) and the customer's own logo. Instead of asking SafeSend to re-package the software for me, we can easily change this ourselves.

As I have mentioned previously, ADXM/ADML files are also provided by SafeSend which allow us to centrally control settings using Group Policy:

Image 

For organizations with restrictions on using ADMX/ADML files, SafeSend can still be configured by deploying registry keys directly through SCCM or Group Policy Object (GPO). All settings, including the license key, can be deployed this way.

Please be aware that a Domain Controller running Windows Server 2008 R2 or later is required in order to use the ADMX/ADML files provided by SafeSend.

To start centrally configuring SafeSend, we need to copy the ADMX file to C:\Windows\PolicyDefinitions and the ADML file to C:\Windows\PolicyDefinitions\en-US. If you are suing a central store, please use the SYSVOL directory instead.
Once these files have been copied, we can create a new GPO (or use an existing one) and we should be able to see SafeSend’s settings under User Configuration -> Administrative Templates -> SafeSend Email Security for Outlook:

 Image

To start with, I am interested in configuring the safe domains list so that my lab’s domain (nunomota.pt) is not treated as an external or unsafe domain, like in the following example:

 Image

To do this, we navigate to the Commonly used folder and update the SafeDomains setting with our internal domain(s). Once again, this is usually done by SafeSend when a customer buys the product, but since adding accepted domains in Exchange is not that rare, organizations might need to do the same eventually.

 Image

Once the user receives the updated GPO, sending an email to an internal user will not trigger SafeSend (notice how Nuno was not included in the popup):

 Image

This feature is also useful to whitelist certain trusted partners an organization might regularly do business with.


An easy way to verify if a policy got applied to a user, is to check all the settings currently applied to the user by navigating in Outlook to File -> Options -> Add-ins -> Add-in Options -> SafeSend:

 Image

Clicking on View settings... will display all the SafeSend settings applied to this particular user. In this case, we can see that nunomota.pt is now a safe domain:

 Image

The Overrides HKCU/Policies tab shows all the settings we have configured so far that deviate from the default settings (most of which we will be discussing shortly):

 Image

We can also view this same information using the Registry. The default settings of SafeSend are stored in HKLM/SOFTWARE/WOW6432Node/SafeSend:

Image 

Whereas the per-user settings are stored in HKCU\Software\Policies\SafeSend:
 
Image

There is also an Edit settings... option that allows us to manually configure settings on the local machine for testing purposes. However, please be aware that these are reset when Outlook is restarted.
 
Image

Attachments

Most users might not be too happy if they are forced to acknowledge every single email they send to external recipients. A useful approach to minimize or prevent user's dissatisfaction towards SafeSend is, in my opinion, to only trigger SafeSend when an email is sent to an external recipient that contains an attachment, which should provide a good balance between usability and security for most organizations. To do this, we enable the OnlyPopupForAttachments setting:
 
Image

New Threads

We can also configure SafeSend to only trigger when users compose a new email. After all, if a user is replying to an email, it is unlikely they will send it to the wrong person, unless they start including new recipients in the email. This can easily be done with the OnlyPopupForNewEmailThreads setting:
 
Image


Localization

SafeSend currently supports an impressive 30 languages. To set SafeSend to use the same language that Outlook is configured with, all we need to do is enable the advanced option UseLocalizedLanguage:

 Image

Now SafeSend will use the same language as Outlook!

 Image



Policy

Users typically ignore the company’s email usage policy and, most of the times, are not aware of how corporate email should be used. You might have noticed from previous screenshots that SafeSend can include a policy message stating, for example, that email should comply with the organization’s email and security policy and include a link to the organization’s policy on email. This feature is disabled by default, but can be easily configured by enabling the PolicyLink option and specifying a URL for the organization’s email/security policy:

 Image

SafeSend will show, by default, the following line of text:

 Image

As all other text in SafeSend, this can also be customized using several settings, such as StringMainPolicy, giving organizations great customization flexibility:

 Image

 Image



Distribution Groups and High Profile Mailboxes

It is common for organizations to have some internal Distribution Groups restricted so only particular users can email them, or have these configured with moderation so that emails have to be reviewed before being sent to the group. SafeSend can also be used to provide another alternative and force users to acknowledge they intend to email a certain distribution group. By configuring the TreatMatchingExchangeDLNamesAsExternal setting, we can configure the group(s) that will trigger SafeSend:

 Image

Now, any group whose display name starts with “Dept – “ will trigger SafeSend. In the following screenshot, notice how the departmental groups triggered SafeSend, but not the IT ServiceDesk group:

 Image

It is also possible to trigger SafeSend before sending to specific email addresses using the TreatMatchingEmailsAsUnsafe setting. Useful to alert users when emailing VIPs for example.



SafeSend Logs

Software will always be software, and sometimes things do not work exactly the way we expect them to. To help administrators troubleshoot any possible issues, SafeSend includes several logs. The following log file describes the SafeSend’s add-in loading process that occurs when Outlook starts: C:\Users\<username>\AppData\Local\SafeSend\adxloader.log. This can be useful in situations where SafeSend is not loading or simply to see what happens when the plugin is loaded:

 Image

Talking about Outlook loading SafeSend, this add-in seems to load quickly even in my lab's test workstation. This is important to both avoid user frustration and Outlook from disabling the add-in (which can happen if an add-in takes too long to load):

 Image


Besides this log, SafeSend can also log all the actions taken by a user to both a physical file and to the Windows Event Log. This can be important in compliance or auditing scenarios where an organization needs to prove that a user was presented with a popup but decided to send the email nonetheless.
These two options are configured using the LoggingFileLogEnabled and LoggingWindowsEventLogEnabled settings respectively:

 Image
 
Image

The log file is stored under C:\Users\<username>\AppData\Local\SafeSend\ and contains who sent the email, the email subject, the email addresses of the external recipients and the files attached, if any.

 Image


The event in the Application log has an EventID of 0 and a Source of SafeSend and contains the same information:

 Image



Preventing users from disabling SafeSend

By default, users can enable or disable Outlook add-ins as they see fit:
 
Image

As a security tool, it is imperative that users are not able to circumvent SafeSend. For Outlook 2007 or 2010, SafeSend cannot prevent users from disabling the add-in, but it can re-enable it each time Outlook starts. With Outlook 2013 and 2016, we can use Group Policy. To do so, first we need the Office 2013/2016 Administrative Templates. Once we have that in place, we enable the List of managed add-ins policy setting and add zzz.SafeSend with a value of 1, meaning that SafeSend cannot be disabled by users:

 Image

Now SafeSend cannot be disabled or removed, and users are presented with a notification informing them of that:

 Image


Data Loss Prevention and Encryption

Although outside of the scope for this review, I fell it is important to mention SafeSend’s DLP Content Scanning capabilities. With this feature, SafeSend scans email content (including attachments) for specific keywords or data patterns using regular expressions. If a match is found, we can choose to notify the user, require a confirmation from the user, or deny sending the email altogether:

 Image

Another possible action for when a match is found, is to ask the user if they want to encrypt the email when sensitive content is found by using the TriggerEncryptionMode setting:

 Image

Additionally, the same setting can be used to ask users if they want to encrypt any email, or only ask them when attachments are found.

It is important to note that SafeSend does not perform the actual encryption. Instead, it adds a configurable string to the email’s subject which can then trigger the encryption itself by Exchange, ProofPoint, HPE SecureMail or other mail devices or services. Nonetheless, this is a great feature that reminds users to encrypt emails, making it easier and more convenient to do so.


Conclusion


SafeSend is a great product that does exactly what it says it does, and more. The fact that it can be easily deployed to multiple users using a GPO, SCCM or other packaging tool, plus the fact it can be centrally managed using GPOs makes it extremely easy to deploy, configure and maintain.
As we all know, most users don’t like change, and some organizations might have a hard time convincing users of the benefit of a few more clicks before sending an email. However, in some organizations security is paramount and I believe SafeSend can be configured to establish a good balance between security and usability, and still help protect an organization’s private and sensitive data.

MSExchange.org Rating 4.8/5

 

Image

See Also


The Author — Nuno Mota

Nuno Mota avatar

Nuno is an Exchange MVP working as a Senior Microsoft Messaging Consultant for a UK IT Services Provider in London. He specializes in Exchange, Lync, Active Directory and PowerShell.