SwiftOnSecurityDec 31, 2022
Worse, even if you get an email from your mastodon instance (or ANY web service), an authorized SMTP system could have been hijacked and the link directed to a phishing page, potentially even hosted on a hijacked subdomain.
Layers and layers of caution are required whenever you are prompted to take an unusual action.
https://mstdn.social/@stux/109603992325592066
sтυx🎄 (@[email protected])

Attached: 1 image ⚠️ WARNING! ⚠️ I just received this email in a catch-all that was addressed to a user. Mastodon does NOT such mails and this leads to a malicious login page! Please make sure you are on the correct instance URL before logging in! Also make sure the emails are send from the instance you are on! Often this email can be found on the /about page #Mastodon

Mastodon 🐘
Show threadSwiftOnSecurityDec 31, 2022
NOTE: Humans reduce their ability to detect/resist fraud when under time pressure. See how the email puts the victim under duress by threatening to delete messages. To act as quickly as possible. This is a huge red flag that will help you if you know to look for it in attacker communications (or life in general). Because attackers know this is a shortcut to better results.
Show threadSwiftOnSecurityDec 31, 2022
At my work we are planning for this kind of nightmare scenario by moving to tightly-governed and logged SMTP relays. It will take a lot of work but giving vendors SPF/DKIM, although MUST be done in interim as soon as possible so you can get DMARC to enforcement, is a blank check when you are an incredibly sensitive service/huge target.
Most should not worry about this there's a 100 things more important but understand the exposure.
Show threadINCO
@SwiftOnSecurity I've seen an org take on the effort of training the userbase to recognize DKIM signature failures, only to then discover that someone high up the foodchain used a strange setup for their 'employee newsletter' distribution which modified the email content, thus breaking DKIM.
Dec 31, 2022 at 3:11pmWeb