They phish users with horribly made emails with no formatting, then they send the same sort of emails for legitimate things. They give security advice and then break their own security advice.
Unless you’re a government (or contractor) your threat model isn’t some side channel timing attack on your CPU, its users complacent with security created by you. Legitimate emails should look legitimate the first time, security advice applies always and everywhere. It’s not that hard.
They phish users with horribly made emails with no formatting, then they send the same sort of emails for legitimate things. They give security advice and then break their own security advice.
Unless you’re a government (or contractor) your threat model isn’t some side channel timing attack on your CPU, its users complacent with security created by you. Legitimate emails should look legitimate the first time, security advice applies always and everywhere. It’s not that hard.