I know everyone at my last company had to do compliance training with Kevin Mitnick for hours; not that I minded RIP. Fingers crossed my large company isn’t the outlier and people pay attention to the training. Still, this vulnerability is bad news. A well targeted attack that doesn’t trip any training red flags (links, attachments, etc.) for the victim is still a very real security threat, right?
> A well targeted attack that doesn’t trip any training red flags (links, attachments, etc.) for the victim
As I understand it, the victim still has to click on a link in an email for the attack to work. The attack makes the email look like it comes from a legitimate source (like the victim's own company), but it still requires the victim to take an action, it's not completely passive.
Yes indeed. And that's the whole purpose of the domain impersonation -- the mail should look legit to the potential victim, so they follow up with the requested action (like signing up with their password on a phishing login page)
