Motional

Measuring and Improving
Emotional Health and Well-being

Receiving emails from Motional when you use Office 365

We started noticing a few users complaining that whenever they requested a password reset link (and this affects new users setting their passwords for the first time as well) the email would arrive, but the link wouldn’t work.

I pulled lots of hair out before noticing that in one email a user had forwarded to us, the link had been re-written (ie something had changed it).

Background

Our password reset links look like this:

https:// motional.io/login/?action=rp&key=R4nd0mbunch0fL3tters&login=yourusername

They include a security feature where it can only be used once (the “key=R4nd0mbunch0fL3tters” bit). So after that link has been visited it can’t be used again. This is so that if someone else got hold of the email, they can’t click the link and reset your password without your knowledge. Instead they just get a message saying the link has expired.

The Problem

Unfortunately, Office 365 tries to protect you from phishing links by re-writing all links to something like this:

https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flink.motional.io%2Fwf%2Fclick%3Fupn%3DEvOLJ0ORsYQ6eaHEaQbDGDkbep2RLpKmN0MrEEgptr8iASk5FYcxwrHVZicc89lKjRTxZAqhBllZdNjfmSr7QprgGuShlD82scxmXkCCmBiHSQnWpIQVLj9XkKVqTjQgL10uboAFwbDQOSjdA-3D-3D_Evy98C-2F6r0sfs6rWa-2B-2FwUyJ6dXLKOhtTYXHfytsmAxnYEAdwLyrTCFOEJ3TTFARw45t2zZrGKoKVFk-2F-2FFYFIcIod0F0p20bP3yInx96fecGuPCclIxfMsWwGW-2BvTGI40JyNRVCVzfc0DSpd8g2vs1cRcx5oIe0-2BB0TpwmkOENVS2XbPi2hvwfxqIXilPPKqQ44s-2BvrPn4-2BwlD7UIgvLgcUInGC9gMUxIBXFHc82ZwHqUbluCIiKXHUb9J-2BpVvZI-2FoqKy8g-3D-3D&data=02%7C01%7Cyourusername%7C780e59c9b71c465287a908d63dbbe3fd%7C199653adc1564a05bad3084c1618%7C0%7C0%7C636764274534572091&sdata=kg3ST3LcVxRf%2B1Zoh7Vkr8KpjU5%2BukyUq1GnQ%3D&reserved=0

Which is clearly much harder to check visually if it’s going to Motional or to some random scam website. The major flaw however, is that Office 365 visits the link before it redirects you so it can decide whether it’s safe or not. That’s your one-time link all used up.

The Solution

I take data security very seriously here at Motional, and I won’t be removing the one-time-only nature of our links.

Ask your IT support to read this document from Office 365 about setting up do-not-rewrite rules: https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-a-custom-do-not-rewrite-urls-list-with-atp

Ask them to add “motional.io” to the list of URLs to NOT rewrite.

As always, feel free to ask if you have any questions 🙂