Jake in the desert

'Kobold Letters', a great piece by @weddige on the dangers of HTML email, regardless of viewing method https://lutrasecurity.com/en/articles/kobold-letters

#security #email #HTML #CSS #HTMLEmail #Mozilla #Thunderbird #Microsoft #Outlook #MicrosoftOutlook #Gmail #Google #HTMLEmails

Kobold letters – Lutra Security

Anyone who has had to deal with HTML emails on a technical level has probably reached the point where they wanted to quit their job or just set fire to all the mail clients due to their inconsistent implementations. But HTML emails are not just a source of frustration, they can also be a serious security risk.

Apr 10, 2024 at 5:53pmWeb
Show threadforrestApr 10, 2024

@jake4480 @weddige

interesting, didn't realize emails could do this.

one question;

"your manager asking you to wire a large sum of money to a bank account.

...

still not convinced, so you call your manager to ensure that the email is legit. He confirms, so you transfer the money.

...

The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions.

...

the moment the email appeared in your inbox, it changed."

Show threadJake in the desertApr 10, 2024
@buru5 @weddige it's wild. And I've worked in HTML and email both for so long, I figured this would eventually be the way. Mostly the fault of CSS. But still. I'm an HTML purist first. hahaha
Show threadforrestApr 10, 2024

@jake4480 @weddige

why wouldn't the employee ask their manager about the contents of the email? "i got an email from you about wiring money?"

in the example, it seems like the theoretically employee says ... "i got an email from you just now, is it legit? oh, it is? thanks."

Show threadJake in the desertApr 10, 2024
@buru5 @weddige now, the phishing attacks are SO realistic. Sometimes it looks ultra legit. Something you'd usually use. I get being scammed. It's super easy, especially now. Even for tech savvy folks. No matter how much someone thinks they know.. you'll be having an off day or just be caught off guard, I guess?
Show threadforrestApr 10, 2024
@jake4480 @weddige yeah, good point.
Show threadKonstantin WeddigeApr 10, 2024
@buru5 @jake4480 Perhaps I should add some context: with this example, I tried to give a realistic illustration of what this attack pattern is capable of, without adding too much about how to write convincing phishing emails. But with some suggestive wording, you can increase the chance that a call to the manager will not reveal that you are talking about different emails.
Show threadJake in the desertApr 10, 2024
@weddige @buru5 it's fantastic. I mean, just the other day my wife was almost fooled by a phony text, and she's BRIGHT, an early adopter - she was dismayed. It's so fast and so dangerous now. Only way is to educate. Like your killer article. By the way, LOVE that moving wave animation at the top of the lutra pages! 😍
Show threadKonstantin WeddigeApr 10, 2024
@jake4480 Thanks for the compliments 🥰
Show threadTomApr 11, 2024

@weddige @jake4480 I'll add to that and say: you've got a *really* nice website there :)

Clean code, lit where it makes sense, and a home page that has <2MB which loads in <700ms.