Consider the procedure below. What are your counterarguments, related to both security and user experience?
This is a follow up on my previous question on the same topic.
Step one: An employee submits an e-mail to coworkers (non-internal roles are also covered):
Step two: The e-mail server intercepts all incoming mails and substitute hyperlinks to non whitelisted sites, e.g.
redirect.contoso.com/surveymonkey.com/my-survey, and send known authors the following message:
Obviously, if the GUI of the e-mail client can be modified, the verification can happen as the mail is authored.
Step three: If the author takes no action, the recipients get the e-mail after three minutes, but are presented with this message when they click the (doctored) link:
Over time, the user-vetted whitelist could be augmented with white- and blacklists provided by the security part of the organization.
The assumption is that this would intercept most link-based phishing attacks with a message of caution, while also keeping employees alert, due to the two factor authentication involved, without significantly degrading the user experience or imposing excessive policing of the employees.
So again, what are your counterarguments, related to both security and user experience?