On Friday, the Staff issued 21 FAQs for recipients of its recent letter requesting certain companies to voluntarily provide information concerning the SolarWinds cyberattack. The FAQs provide answers to questions concerning, among other things, the scope and limitations of the “amnesty” that the Division of Enforcement is prepared to provide and how to respond to certain inquiries contained in the original letter.
Companies that received the letter should read the FAQs carefully and should also be sure to check out this blog from Perkins Coie. While the FAQs are all helpful, I think that for many companies, the Staff’s first FAQ raises the question they asked most often:
1. I received a notification from Zix Mail, is it legitimate?
The SEC uses Zix Mail service for sending encrypted messages in connection with its confidential investigations, including this one. When we send an encrypted message via Zix Mail, the recipient receives a notification message from Zix Mail. An authentic notification of a message from Zix Mail will:
i. Be sent only from firstname.lastname@example.org
ii. Direct you to a link starting with “https://web1.zixmail.net”
The backstory here is that many companies that received the original email from the Division of Enforcement weren’t sure that it was legit, and some of them reached out to the Staff to confirm that it came from the SEC. After reading FAQ #1, can you blame them? Based on the SEC’s description of its email blast, this thing couldn’t have looked more like a phishing attempt if the Zix Mail email address had ended in “@hacker.ru”.
– John Jenkins