We started noticing a few users complaining that whenever they requested a password reset link (and this affects new users setting their passwords for the first time as well) the email would arrive, but the link wouldn’t work.
I pulled lots of hair out before noticing that in one email a user had forwarded to us, the link had been re-written (ie something had changed it).
Our password reset links look like this:
They include a security feature where it can only be used once (the “key=R4nd0mbunch0fL3tters” bit). So after that link has been visited it can’t be used again. This is so that if someone else got hold of the email, they can’t click the link and reset your password without your knowledge. Instead they just get a message saying the link has expired.
Unfortunately, Office 365 tries to protect you from phishing links by re-writing all links to something like this:
Which is clearly much harder to check visually if it’s going to Motional or to some random scam website. The major flaw however, is that Office 365 visits the link before it redirects you so it can decide whether it’s safe or not. That’s your one-time link all used up.
I take data security very seriously here at Motional, and I won’t be removing the one-time-only nature of our links.
Ask your IT support to read this document from Office 365 about setting up do-not-rewrite rules: https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-a-custom-do-not-rewrite-urls-list-with-atp
Ask them to add “motional.io” to the list of URLs to NOT rewrite.
As always, feel free to ask if you have any questions 🙂