SwiftOnSecurityDec 31, 2022
Worse, even if you get an email from your mastodon instance (or ANY web service), an authorized SMTP system could have been hijacked and the link directed to a phishing page, potentially even hosted on a hijacked subdomain.
Layers and layers of caution are required whenever you are prompted to take an unusual action.
https://mstdn.social/@stux/109603992325592066
sтυx🎄 (@[email protected])

Attached: 1 image ⚠️ WARNING! ⚠️ I just received this email in a catch-all that was addressed to a user. Mastodon does NOT such mails and this leads to a malicious login page! Please make sure you are on the correct instance URL before logging in! Also make sure the emails are send from the instance you are on! Often this email can be found on the /about page #Mastodon

Mastodon 🐘
Show threadSwiftOnSecurityDec 31, 2022
NOTE: Humans reduce their ability to detect/resist fraud when under time pressure. See how the email puts the victim under duress by threatening to delete messages. To act as quickly as possible. This is a huge red flag that will help you if you know to look for it in attacker communications (or life in general). Because attackers know this is a shortcut to better results.
Show threadSwiftOnSecurityDec 31, 2022
At my work we are planning for this kind of nightmare scenario by moving to tightly-governed and logged SMTP relays. It will take a lot of work but giving vendors SPF/DKIM, although MUST be done in interim as soon as possible so you can get DMARC to enforcement, is a blank check when you are an incredibly sensitive service/huge target.
Most should not worry about this there's a 100 things more important but understand the exposure.
Show threadMathiasDec 31, 2022
@SwiftOnSecurity Could you elaborate the "DMARC enforcement" part, please. I never fully understood it tbh.
Show threadCarey Drake
@matthegap @SwiftOnSecurity See the bottom right in the DMARC flow below. You setup a policy that says the receiver should "reject any messages that fail", "quarantine any messages that fail", or "let failures thru". The first two would be enforcement.
(Image courtesy of https://dmarc.org/overview/ . Many more details found there.)
Overview – dmarc.org

Dec 31, 2022 at 2:22pmWeb
Show threadMathiasJan 1, 2023
@yackreader @SwiftOnSecurity Ah, so the policy is read and enforced by the receiver. That makes sense, didn't know this was possible.