NMS
SwiftOnSecurityHeard from a friend their company did a phishing simulation… using their actual @domain .com as the sender.
Dawg what are you even training your users to avoid, legitimate email?
Typositoire@SwiftOnSecurity And then they'll ask why their employee have trusts issues...
Sean Reynolds@SwiftOnSecurity to be fair, if users avoided even legitimate mail, things might improve
JohnsNotHere@SwiftOnSecurity worked at a company that did the same, and used a meeting with HR as the lure to click on the attached Word doc. There were meetings with people after that...
silhouette 
@SwiftOnSecurity i don't even need training to do that!
VessOnSecurity@SwiftOnSecurity Well, it's a useful skill...
sleepfreeparent@SwiftOnSecurity what is this "legitimate email" of which you speak?
2xfo@SwiftOnSecurity
"This email could have been ignored"
"This email could have been ignored"
Todd Knarr@SwiftOnSecurity Damned straight. An attacker may forge the headers well enough to appear correct. They may have an internal account compromised already and are trying to gain more access. There's no such thing as an unconditionally legitimate message anymore.
Krupo@tknarr @SwiftOnSecurity it's a nasty test but I too see the logic in it.
Though you'd want to pepper a "real domain" test with some educational red flags if you were going that way.
Ask the user to buy the boss some random gift cards or change some payroll / vendor data at least.
@krupo @SwiftOnSecurity Just make it realistic. Link to a document on an external service also used by the company, or to a document at a legitimate location (or as an attachment) that's got real malware code in it with the payload neutered and just reporting the download or access. Subtle isn't getting the job done.
Kevin Mirsky 
@krupo @tknarr @SwiftOnSecurity IMO you should only do this if you think your org's risk of spoofing attacks is high and you've given your employees the tools to suss out its illegitimacy.
If you haven't given them easy ways to identify a spoofed message, you're not training them, you're just dunking on them. Enough will fail no matter what.
Ultimately Security should do their damnedest to prevent an employee from ever being in this position.
@kevinmirsky @krupo @SwiftOnSecurity I've seen the insider attack too often. My rule is if I didn't expect that email with that document, I either delete it if it's not relevant to me or I ping the sender back to get confirmation and navigate to the document from my own bookmarks rather that trust a link. Yes, I'm paranoid. Hopefully I'm paranoid enough.
Jon@kevinmirsky @krupo @tknarr @SwiftOnSecurity and you should be training people who send out legitimate mass internal emails on what *NOT* to do.
I swear some of our internal corporate emails look like someone got the wrong ideas from our phishing training.
the vessel of morganna@tknarr @SwiftOnSecurity if your org can't at least flag spoofed messages, you have some serious infra problems.
sigi714@tknarr @SwiftOnSecurity They don't teach people reading mail headers anymore?
@sigi714 @SwiftOnSecurity Parsing the headers for validity is deep magic even for us who know SMTP well. I wouldn't expect the average user to be able to do it at all. The only sure way to validate the sender is a cryptographic signature (PGP or S/MIME), and even that doesn't protect from a compromised sender account.
Alun Jones@SwiftOnSecurity That balances with the number of times companies send out legitimate email that matches all their descriptions of phishing emails. Training their users to click on phish.
I saw a thread talking about how you can't teach a dog better behaviour by punishing it, and for whatever reason, it made me think about phishing entrapment training.
Michael WestergaardNo need - I avoid all mail per default; phishing or legitimate
DJGummikuh@SwiftOnSecurity had essentially the same. Also, I told our antispam that the mail was spam and it told me "no it's not" 🤦 I am basically ignoring all e-mail from our own company after this "training". I'd like to smack our entire it security team for incompetence
Passwordsarehard4@SwiftOnSecurity I delete all emails unopened as a general rule. If it’s important they call and ask why I haven’t responded yet. I search by sender and then open it and read it over.
I won’t ever sign for a delivery if I don’t know what it is either. I don’t know anyone who has went to pick up a certified letter that was happy afterwards, I smile every time I throw away the notice.
I won’t ever sign for a delivery if I don’t know what it is either. I don’t know anyone who has went to pick up a certified letter that was happy afterwards, I smile every time I throw away the notice.
WTL@SwiftOnSecurity That's not a bad idea, really.
famousringo@SwiftOnSecurity fooling your users is the goal, right?
SĂ©bastien@SwiftOnSecurity
You're speaking of the domain name of the link, right?
On my side, I've seen an email seemingly sent by the CISO of an organization inviting their users to update their corporate password and/or to define a new recovery email address. Both buttons were pointing to the exact same *.odoo.com link (so definitely *not* their corporate domain name).
You're speaking of the domain name of the link, right?
On my side, I've seen an email seemingly sent by the CISO of an organization inviting their users to update their corporate password and/or to define a new recovery email address. Both buttons were pointing to the exact same *.odoo.com link (so definitely *not* their corporate domain name).
@SwiftOnSecurity
They then received an email from their local IT support team urging them to ignore the phishing email and *not* to enter their corporate credentials on a third-party website (good move). A few minutes later, they received another email from the same team asking them to actually enter their corporate azure credentials through the provided odoo.com link... as this was actually "legit" 🤦‍♂️
They then received an email from their local IT support team urging them to ignore the phishing email and *not* to enter their corporate credentials on a third-party website (good move). A few minutes later, they received another email from the same team asking them to actually enter their corporate azure credentials through the provided odoo.com link... as this was actually "legit" 🤦‍♂️
Nick 'The Viking'I'm fucking astonished at the replies that see this as a legitimate security education tactic.