>There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.
This is a huge issue at the moment. For some reason, tonnes of companies have decided it's OK to have you register online at www.corporate-domain.com, and then have the login service hosted at corporate-domain-account.onmicrosoft.com, with emails arriving from mailhost.corporate-domain-mail-services.com.
This is also a problem for organizations internally.
I have a university email where IT tries to train people to recognize legitimate vs phishing emails by whether the login is on some onmicrosoft.com domain no one remembers. It then mangles all links in emails, so users without clients that demangle them can't actually see whether a link goes to that domain. And, of course, legitimate logins often involve redirects. With wide use of SSO, users can also expect login screens to appear while in a variety of vaguely related places, from journals, to news sites, to various subscription services. This is in the context of a login system that always requires otp, regardless of 'remember this device' settings, practically ends up needing at least one login per week for staff, and reportedly, can require students log in (with otp!) multiple times per day, so the login process is so frequent it is trivialized, and being careful with each login would take an enormous amount of time in total.
To further confuse things, IT repeatedly sends out fake phishing emails with links to Microsoft-owned domains with valid Microsoft SSL certificates.
I expect IT would respond that these arrangements satisfy all requirements they have, and that the solution is more user training and online webinars.
It seems like Microsoft has some sort of fake phishing system with all of these ridiculous properties, which many organizations then use.
The first time I received one, I initially thought our email server had been compromised, because rather than realizing it was a fake test, my mind went from "Why was this obvious phishing email not caught by the spam filter?" to "How does this email not have Received headers!?" to "How does an obviously fake login page have a valid Microsoft SSL certificate on a validly Microsoft-registered domain name and a Microsoft-ASN IP address!?" to "How much of the university's infrastructure would have to be compromised for an attacker to do that!?".
Sometimes it is due to using third parties for some portions, and those services needing DNS control but not supporting sub-domain delegation in the custom domain options. Why a company running it all themselves would do the same is more of a mystery, though simple not-joined-up-thinking is rather likely.
Typical symptom of a dysfunctional organization. It's easier to do anything else than to get the team managing the company domain to add a subdomain for them.
Yep, this has happened to me as well. Ever since that incident, I've treated "password manager isn't filling in my credentials" as a MAJOR red flag, rather than as "ugh, technology is being flaky again".
Actually, knowledge how bad large corporations can work can work against you. I got myself Easyjet scammed after a delayed flight, after being tired from being a day late and having walked long distances. Not noticing a tiny typo on the Twitter account, then be redirected to a fairly generic (no Easyjet logo) but legitimately looking Helpdesk account and I though “Oh yeah, this would totally happen in the large corp I worked where some half baked 3rd party product is used for a Whatsapp helpdesk” in combination with me being tired cost me a few hunderd euros.
Yeah, it’s rare that 1P fails to recognise the website, I always get suspicious. Most of the time when it fails it’s on random crappily made niche websites anyway, for which I wouldn’t care if my credentials were stolen!
Actually, when I do get worried is when I have to login in an app with a credential I saved for the website. 1P doesn’t match the app automatically (understandably) and I’m always a little uncomfortable
Honestly, a sticky note on a monitor is more secure than what a lot of people actually do. At least there, physical access is required to obtain your credentials.
But what I do is use an offline password manager on my phone. Yes, I have to actually read and type in the passwords that I don't have memorized, but it's a small inconvenience to get an additional security gain. Plus, it's out of the reach of IT.
My friend's father used a notebook for all logins and passwords, he used phrases for most with some exceptions. He started doing this before password managers were a thing in the late 90s. When he died a few years ago, his family had access to everything.
This sort of thing is why every company and every mailing list has a different address for me. Once one is compromised, it goes direct to /dev/null.
It is also why I'm paranoid about ad-tech stalking. Even if I trust the company originally collecting & collating my activities¹ the resulting data is one good phish or other hack away from being in the hands of someone who might make use of it to, for instance, attempt to spear-fish² me. If someone who literally "does security" for a living and is reputed to be good/knowledgeable on the area can get caught then so can someone working for a company that likely takes security less seriously or is simply less experienced in the area.
----
[1] which, of course, I don't
[2] or attempt to blackmail me, though that truly would only be an attempt, there is nothing I do online that would surprise/shock/endanger my friends/family/employer.
> This sort of thing is why every company and every mailing list has a different address for me. Once one is compromised, it goes direct to /dev/null.
It's not just a matter of dev nulling something compromised, but also to make it difficult to know where to send a phishing attack to.
Troy did half of that. He used mailchimp@_______ for this, so it might have been guessed, or leaked elsewhere, and he won't be able to narrow down which.
And if someone sees your facebook@______ leaked elsewhere, it's not a stretch to assume you use mailchimp@_____ or twitter@_____ or...
Should use something totally random. Or maybe first 10 chars of hash(servicename + common salt) so you don't have to keep track of too much. Or something similar with encrypt the service name with your GPG key and take the first 10 ascii of the output.
For the read-only, newsletter-type mailing lists, this makes sense and I do it too. But for mailing lists that are used more as a forum, I like posting with a recognizable, memorable email address. I've gotten some really sweet emails from people who read a post I made and reached out to me directly in the past. I wouldn't want to miss those, spam be damned.
I can receive on all those addresses, so that isn't lost. They are in a subdomain with catch-all and a black-list of abused addresses. I will lose mail if someone responds on an old address that is now pointed at /dev/null, but I doubt I've lost much, if anything, that I'd care about, that way.
I have seen some senders apparently guessing a catch-all is in operation as I've received junk on a few addresses that just look like keyboard mashing. I have ideas for potential workarounds to solve that, but it doesn't happen enough that it has irritated me into pursuing one of those ideas further.
There are currently no two-way mailing lists I'm a member of so that is not an issue. Last time I did interact with a group that way, it just meant making sure my mail client used the right outgoing identity, just as I do when replying to a particular company, so the list didn't see me as an unauthorised sender.
The only other complication was once hitting a shopping site that rejected someaddress@subdomain.domain.tld. They were checking by regex (client-side anyway) that there was only one or two “.”s in the hostname part, and if there were two there were at most three character between them. Assuming they were applying the same validation server-side I didn't bother trying to circumvent that. I could have used another address, but if there was shoddy coding in the join workflow there presumably was everywhere else to, so I didn't actually trust the place enough to interact with it further let alone give it payment details.
The sentiment is sound in that everyone is vulnerable, but it's not a matter of stupidity. This is about being alert and attentive, not being smart or dumb.
>I went to the link which is on mailchimp-sso.com and entered my credentials which - crucially - did not auto-complete from 1Password. I then entered the OTP
These clever phishing schemes fool even the tech-savvy computer users like Linus Tech Tips, Matthias Wandel, and Troy Hunt. This problem should be "low hanging fruit" for A.I. to identify and help users. E.g. Apple Intelligence on iPhones to scan the emails and text messages for red flags and some something similar in desktop email clients like Mozilla Thunderbird.
Anyways, comparing the WHOIS info for legitimate vs fake:
Domain: mailchimp.com
Registered On: 2001-06-29
Registrar: MarkMonitor Inc.
Country: US
Domain: mailchimp-sso.com
Registered On: 2025-03-24
Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
Country: AE (United Arab Emirates)
Social-engineering phishing really should be one of the "easier" problems for AI to solve.
microsoft.com, microsoft.net, office.com, office365.com, windows.com, windows.net, etc.
Registrar: MarkMonitor Inc.
live.com, onenote.com, msecnd.net, etc.
Registrar: CSC Corporate Domains, Inc.
sharepoint.com, outlookmobile.com, etc.
Registrar: Nom-iq Ltd. dba COM LAUDE
>Apple Intelligence will gladly promote an obvious phishing email to the top of your inbox
Sorry for not being clear. I definitely was not recommending for users to depend on Apple Intelligence. I've deliberately turned it off because it doesn't work in comparison to Apple's hype.
What I was trying to convey was AI currently doesn't exist to reliably identify text & and email phishing on both iOS and desktop email but this particular fraud problem seems like low-hanging fruit for something like an improved Apple Intelligence to actually solve.
Legacy 2FA like OTP or SMS isn't going to protect you from this kind of phishing (as shown). However webauthn with a security key or passkey would have prevented this. Unfortunately mailchimp doesn't support those.
Passkeys face a similar issue to when password managers don’t autocomplete credentials: we’re accustomed to technology not working well due to poor implementations, so when it does not work we may assume it’s just unreliable and resort to alternative authentication methods instead of suspecting something suspicious. Of course, when they work well, they are much more secure, and if passkeys were reliable enough to not ever need passwords that would solve a lot.
I thought that passkeys were domain-bound through a challenge response mechanism?
That should completely prevent fishing of this simple MitM the 2nd factor. At least, that's how I've seen it be sold.
Yes. So when it prevents the phishing attempt there's a good chance that quite a few people will assume something broke and attempt an alternative login method - with the phishing "service".
By that logic "legacy 2FA" does nothing then and it's just another inconvenience created for security theatre purposes (which I almost agree) and we must hence have another auth step for extra inconvenience and easy of locking yourself out of your accounts
> another auth step for extra inconvenience and easy of locking yourself out of your accounts
I think it depends on the context how one would solve that.
For example in our company we made (webauthn) security keys mandatory (as well as 2FA itself) for our internal IdP and disabled all other 2FA methods. All account recovery methods such as SMS, phone, email, etc. are also disabled. If someone looses their key it means they need to go to IT to re-provision a new one in their account. In practice this almost doesn't happen. In return we get a setup in which even less tech-savy people are quite hard to phish. Overall people seem to be pretty happy with the setup. For example they don't need to lookup and enter TOTP codes, they just need to press a button.
In Troy's case you might want to use a second (backup) security key.
Good on Troy for talking about this so publicly. It underlines the truth that everyone, including everyone reading this comment, can be tricked. It doesn't matter how smart or savvy you are, all that matters is that the right pitch hits you at the right moment.
It's also a good reminder to never, ever, click on any links that come in communications like this no matter how legitimate they may seem (or be!). If an email comes reporting something that needs your attention, log into your account using your normal methods, not the provided link. Every time.
> Unfortunately, the export also includes people who've unsubscribed (why does Mailchimp keep these?!)
Isn’t this illegal, in many countries? I guess the rationale, is so that you can tell them they unsubbed, in the past, if they try to sign up again. I suspect the real reason is not so wholesome.
It’s a problem. I once got spammed by the legit admin of a site I had deleted my account from, years previously, because he scraped the DB. He used it to try ginning up followers for his new personal Twitter account.
Because (accidentally) mailing an unsubscribed user hurts your deliverability. And because there are users out there that will attempt to add spam traps to your mailing lists, sou you keep them off the list
(double opt-in doesn't really help with the latter as you're still mailing it)
> Because (accidentally) mailing an unsubscribed user hurts your deliverability.
Simple solution: completely remove the email, and flush the cache. No accidental mailing.
As far as spamtraps go, I don’t think there’s a way to realistically address this. There’s a couple of well-known services, like spamex, but it’s easy to set them up, if you have your own domain.
I use spamex, because I want people to know it’s a spamtrap.
Makes sense, but I have a system that does something similar. I handle it, by having a separate, temporary DB that has the transitional data, which is completely erased, once we have set up the account.
With the way companies are abusing domains it’s hard to blame him. Looking at you, Microsoft, with your million domains I’m supposed to keep in my head to avoid this exact problem.
Reminds me of the phone call I got yesterday. I was jetlagged, Truecaller said it was spam but don't know why I picked it up. Immediately upon picking the call the provider, Airtel India, sent me a flash message "Don't pick-up the call". Well, why are you letting it through then? Apparently these are allowed according to the provider license terms... how will ordinary person be shielded then if spam calls are not dropped?
I had a security course at uni which was rather good and many things have stuck with me over the years. One of them is the importance of strict adherence to protocols. If you regularly enter a secure facility you follow protocol and show your credentials every single time. It doesn't matter if the security guard is a mate you've known since school. It doesn't matter how silly it seems. No exceptions. Ever.
I feel like this is exactly the kind of situation this is trying to avoid. Security should not involve thinking because thinking can go wrong. Security has to be blind adherence to stupid protocols.
The question then, is how to apply this principle to the case at hand. My suggestions:
1. Do not have clickable links in your email reader at all. Reject any email software that doesn't support falling back to plain text email or at the very least not downloading remote content and having clickable links. What mail readers work here?
2. Use the same protocol for accessing any privileged resource. For example, use a password manager outside of the browser, like KeePass, and start by clicking the URL you saved there. Never deviate from this protocol. You don't just "end up" at a password screen.
While distressing, this was likely done specifically to 'pwn' Troy and not necessarily due to the email list on his blog being especially valuable to spammers.
If you were on that list, you're not suddenly going to get a huge influx of penis pill/spam emails (you might get highly targeted phishing attempts, but, if you're like most people your email can easily be found anyways).
Bulk spam is largely a solved problem, that's why big mailing lists divorced from the sending domain of their owners are mostly worthless these days (gmail/outlook/etc won't put an email sent to 100k people from a domain with no rep in the inbox) and quickly decay due to list rot and bad metrics. I know tons of people will fight me on this based on what used to happen decades ago, but it's true.
More targeted low volume Phishing on the other hand, that's the real problem today. Gmail/Outlook/etc. don't have very sophisticated ways to prevent that. Low volume or 1:1 emails get way less scrutiny than bulk emails (you can't conduct business with outside firms without some level of permissionless communication), so be on the lookout.
> While distressing, this was likely done specifically to 'pwn' Troy and not necessarily due to the email list on his blog being especially valuable to spammers.
To what end though? Positive public notoriety isn't going to be a thing. Buffing your darknet creds also seems pretty unlikely since the sophisticated phish would be better spent actually gathering emails. And most obviously if they were targeting him in some other way why do the immediate automated export?
imo it's because of the urgency with which it was disclosed (and apologized for). Hypothetically, the sentiment would have been the opposite if say he'd only disclosed this a month after the breach. (Also helps that the details weren't high stakes like personal finance data.)
IMO at some point someone is going to build Email extensions/plugins for all the major providers that just deny all mail and require reception to be opt-in. If you prefer, imagine hyper effective AI filtering.
Marketing and advertising will get exponentially harder for new companies, mailing lists, whatever else, but the average consumer will appreciate spam going to ~zero.
Nerds will lament the serendipity/loss of openness of Email and what it was supposed to be and how easy it was to reach people.
Not sure if this sketch of a possible future is better or worse.
That already exists. Filter on whether the sender is in your address book (or inbox or etc) and send to junk folder (or just drop) if not.
Another one is using extensions (ex name+ext@example.com) every time you provide the address and then auto-trashing anything that arrives without an extension. Rotate and blacklist as needed.
>Filter on whether the sender is in your address book (or inbox or etc)
That strategy doesn't work when you don't know ahead of time what email addresses the sender will legitimately use in the future.
E.g. register with New York state tax authority to file business taxes at https://www.tax.ny.gov. A few months later, you get an real legitimate email from ny.comptroller@service.govdelivery.com.
How would "govdelivery.com" be added to your address book? Presumably, you never added that address because you never saw it. You never saw it because it went to the Junk Folder.
Agreed, there are serious issues if the sender and receiver don't coordinate.
The feature already exists with only minimal DIY though. An alternative implementation would have to contend with the same social issue.
The easiest solution to the social coordination issue I'm aware of is the second option I mentioned. Hand out a unique address that you whitelist. Possibly burn it later if necessary.
People IMO don’t manage addressbooks, and they don’t know about + aliases.
The innovation will be partially making it easy and intuitive — for people in their mailboxes, and for organizations with legitimate need to send emails (at the point where the user provides their email)
> Unfortunately, Mailchimp doesn't offer phishing-resistant 2FA… By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered.
Which forms of 2FA would be resistant to the attack Troy faced?
This is a great reminder that even very skilled, experienced, security-conscious people that you might think could never fall for this sort of thing can and do fall for this sort of thing.
Kudos to Troy for his response so far and what I'm sure will be further information forthcoming.
This is a huge issue at the moment. For some reason, tonnes of companies have decided it's OK to have you register online at www.corporate-domain.com, and then have the login service hosted at corporate-domain-account.onmicrosoft.com, with emails arriving from mailhost.corporate-domain-mail-services.com.