A phone call from Microsoft about my Norton anti-virus subscription putting me into debt that can only be settled with Nintendo gift cards bought in cash across 16 specific gas stations seem much more legitimate in comparison.
Most people are never going to check the links no matter how much you ask them to, and even if they did they wouldn’t know what to check for. But the tool Microsoft give you to check a link before opening it is that awful URL rewriter, which prevents the small minority who would check from being able to.
Similarly those flashing cmd windows are usually automatic update processes that Windows has no way to hide. Even some drivers that MS distribute through Windows Update do it. We could turn automatic updates off, but then nobody would update their software.
IT is rough because you’re often stuck between a rock and a hard place. On the one side you have users who don’t want to change their behaviour, on the other side you have industry leading vendors, that the SLT insist on using, that make it impossible to do the right thing or put the right thing on an Enterprise plan that the budget won’t permit. Then to top it off, there are usually compliance and insurance breathing down your neck forcing you to implement questionable best practices from the 90s, so you just have to do your best to limit the damage.
The flashing cmd.exe windows are not drivers from Windows Update - this could have been the case as drivers shipped with Windows Update is a total security nightmare running arbitrary code with administrative privileges upon hotplug - but in this context of managed devices, commonly from HP or Lenovo's corporate portfolio, it's usually additional products and changes pushed by group policy or random management software.
The often changing user prompts, looking like they were from some early 2000's hello world example, come from obscure and overlapping management software they remotely deploy which they change at will. You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update. You don't need a proprietary solution to prompt users and manage Windows Update, because you have... Windows Update.
The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.
Corporate IT uses emails services that spoof domains and look suspicious, reversing all the phishing training they paid for.
Not to mention that Corporate IT might deploy network-wide solutions like Cisco Umbrella, which is a TLS Man-in-the-Middle attack where you install their root CA on all machines and let them control DNS to randomly redirect all traffic to their servers, effectively undermining the basis of all modern web security for the entire organization.
In general there's a fetish for buying products that has significant negative impact to security, user experience and possibility of training users, usually for the purpose of feigning progress and meeting some targets. Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot. I'm sure that's not a security problem!
One is the 'business' one. Mostly locked down, with checks in place.
The other is on a different network, isolated from all business functions, and they can do what they want but must never use it for work data, just like their phones (that everyone knows they use for social media etc. in the day).
Sure, you still have to deal with copying from one to the other (but there are solutions for that if critical, and much easier to secure).
It sounds crazy, but air-gaps are largely proven and it also means that employees feel less oppressed.
Now I realise, even ignoring the cost, businesses won't want this, as perish the thought their employees may do anything other than work. But I suspect it would actually stop more attacks and issues than otherwise and maybe... just maybe.. employees feel as if they're actually human.
So we get e-mails from @microsoft.com and it's only if you dig in the metadata that you see it failed authentication. The only tell in the e-mail is checking the URL, which doesn't tell you much because tons of regular e-mails use tracker redirects too. They even send emails from our own domain or the domain of our payroll company.
I won't type out my rant, but our IT department is a few guys who couldn't figure out what to do when their competitive xbox FIFA 2006 dreams failed, heard IT pays a lot with not much work, and then sat through the certs.
Just saying I haven't failed a phishing test in ~10 years.
Now sketchy emails are preceded by an equally sketchy “it’s ok” email from IT.
I'm using Finicky[1] on Mac to rewrite the URL by extracting the original URL from the query params[2].
1: https://github.com/johnste/finicky
2: https://github.com/fphilipe/dotfiles/blob/31e3d18fe5f51b2fd8...
If you really want to check every time someone clicks on a link then you can do this in the client and keep the visible link the same for the end user.
But instead there are different teams working on this in Outlook, Teams, Exchange, Defender and god knows where else.
(I'm one of the people in corporate IT trying to turn this off and often struggling)
1: https://pc-helper.xyz/scanner-snatcher/session-snatcher/cred...
https://match-heaven.club/trojan/malware_dropper.exe?id=0416...
People kept falling for phishing links though, so they got a Trend Micro device to scan emails, which also rewrote every link in it to point to their URL scanning service, which means every link now looks like https://ca-1234.check.trendmicro.com/?url=...; I guess no one would be allowed to click on any link in an email at that company.
Of course, their URL rewrites also broke a good number of links, so you'd wake up to a production incident, and then have to get your laptop, log in manually to Pagerduty/Sentry or what have you, and look up the incident details from the email...
Handles all the phishing concerns, except that participation was either low or the feedback was negative, which would lead to the leaders issuing subtle threats to the team about how they'd find out the involved folks and fire them. If you tried to uninstall it, it'd be back in a few hours through policy management software (jamf and its ilk). On the internal discussion forums, they'd nuke threads talking about how to disable that software.
So, in the end, people just started giving the best possible feedback regardless of the team or manager performance. I never really needed those threads, all I needed was tcpdump and then blocking its domain in the hosts file :)
This is getting off-topic, but I found it interesting so I'll include more details anyway.
In a lot of cases, all the fuss is to return amounts that are tiny, and yet the companies need to keep reaching out and trying to convince people. I got $0.06 (2) from my current employer. Because I've moved countries with them, I ended up falling in the category of needing to provide some bank/tax details. Of course, I wanted to log in with the silliest OS I could think of to test/mess with the tracking dashboard, and so somehow I managed to enter my DOB wrong, which even further increased the back-and-forward and emails involved (I was in the project, so the Payroll peeps involved probably didn't hold it against me).
The re-calculation which led to the payment actually worked out that I had been underpaid in come calculations, but overpaid by far more (although still very, very little) in others. The company believed they couldn't offset, so all the fuss was for a tiny amount, which I felt I really wasn't owed anyway. Also unfortunate, was that if any former employee didn't bother to claim the amount because it's so small it's not worth the fuss, it just leads to more work in follow-ups.
New Zealand Holidays Act is quite an interesting area in general, in a how-can-it-possibly-be-this-hard kind of way. I think it contributes to the reputation of NZ payroll being one of the trickiest in the world.
1) https://thespinoff.co.nz/business/27-06-2019/cheat-sheet-wha...
Sounds like something a phisher would do. Better not click.
My company does this too by the way. Usually for external things like surveys they send a pre-email.
They train people not to click links and then someone in management is fucking stupid enough to pull "just send an email with a link" kind of crap instead of properly planning the communication in advance by telling people that there will be a survey, what will be the company that is sending it, when they should expect it - but that just "too much work".
I would fire that kind of clown ass on the spot for not doing their job.
There should be a white hat phishing service you can hire to target your elders. Then when they give up their social security number, someone shows up at their door with a big cake with all their personal details in frosting.
Nothing raises my suspicions quite like something calling itself "safe".
Ah yes, it's like a country having "democratic republic" in it's name - if you have to say it, it's probably not true.
Greetings from AWS,
There are upcoming changes in how you will be receiving your AWS Invoices starting 9/18/2025. As of 9/18/2025, you will receive all AWS invoices from “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”. If you have automated rules configured to process invoice emails, please update the email address to “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”.
This was brain dead. If I saw an email with that sender, I would think it was a scam. They had to walk it back.
For context, I get random other emails about things like Lambda runtime deprecation from “no-reply-aws@amazon.com” which looks a lot more official.
And “aws-marketing-email-replies@amazon.com”
I’ve worked for multiple large companies where the annual IT security signoffs look exactly like malicious emails: weird formatting; originates from weird external url that includes suspicious words; urgent call to action; and threats of discipline for non-compliance.
All this money being spent on training, only to immediately lull users into accept threats.
I ended up creating my own browser extension for gmail that blocks clicking on any link unless the domain is whitelisted. Now if I click any link and it's not in the whitelist, it shows a popup that displays the domain name, and I can then choose to whitelist it and then it opens the link, or just keep blocking it. I haven't had to re-take any phishing compliance tests in a long time.
https://url.uk.m.mimecastprotect.com/s/<random_string>?domain=<domain_name>
If anyone complains, refer them to the security department to be audited. It's really rather suspicious when someone values doing their job above security.
1. Make a site like this.
2. Wait for people to try it out with an URL that goes to a significant site (bank, social media, email, etc.)
3. Allow a bit of normal use, then secretly switch the link so that further visitors land on a corresponding phishing site.
4. Having just dismissed a bunch of "obviously fake" warning signs, people may be less alert when real ones arrive.
Of course with the millions of websites available I couldn't think of one specific one, so I just held down the "x" key and then pressed CTRL+ENTER (which automatically added "www" and ".com" to your entry - typing this on a mac I see it still works with Firefox).
Of course www.x(and a few more x).com was a porn site.
Of course there were a bunch of people (including customers) sitting in reception (and the receptionist herself) who could directly see the screen.
Of course the PC was running nothing else, so a quick alt+tab didn't hide anything.
I announced that all was fine and ran for my desk.
Usually use company-i-buy-from@mydomain.ninja whenever I make online purchases, and I had a guy from a small shop call me up and ask why I had an email with his company name on. Took some good fifteen minutes to explain him that I was legit and owned the domain. He was still reluctant in the end, but eventually ended the conversation with something along the lines of "it's your problem, not mine, if the parcel won't reach you for using a fake email" :)
Never going to know what reaction I'm going to get.
Hilarious, this is great.
We have something that makes genuine links look malicious at work too.
I think it’s called Microsoft Safelink or something. Its purpose is to go through your Outlook inbox and obscure the origin of every link because, obviously, being able to understand what you’re clicking on is bad.
Remember kids, no one ever gets fired for buying Microsoft. ;)
Not sure if that's really a safe links problem, but it's super annoying.
also ProofPoint filtered links
https://cam-xxx.live/trojan-hunter/evil-snatcher/malware_cry...
EDIT: hehe got one https://news.ycombinator.com/item?id=45297475
Also, we were thought to inspect the URL before clicking on it.
Except that the spam system they use completely mangles the URL...
I hate this trend. Like an overused pool of the same "Secret Questions" every company asks, it needs to be on some "X considered harmful" list.
Here:
#!/usr/bin/env python3
from urllib.parse import urlparse, parse_qs
from sys import argv
print(parse_qs(urlparse(argv[1]).query)['url'][0])
(For a different domain).
Since you can't exhaustively enumerate every good thing or every bad thing on the internet, a lot of security detection mechanisms are based on heuristics. These heuristics produce a fair number of false positives as it is. If you bring the rate up, it just increases the likelihood that your security folks will miss bad things down the line.
In the meantime, does anyone else get a kick out of receiving emails from quarantine@messaging.microsoft.com where they quarantine their own emails?
Edit: I see other people said things that are similar to a more mature version of my feeling. We need to address this in a way that addresses the threat of email links properly, not throw machine learning at guessing which are OK to click. BTW, I'm not implying that you're saying that is what should be done to solve the issue, but I'm sure it's behind the silly MS quarantine I mentioned, and when an email from the one person I email the most, who is also in my contacts, going to spam in iCloud.
The other 10% are people who are just like you and know better.
I think that guy would get a kick out of using this for his pranks.
> https://pc-helper.xyz/usr/libexec/gnome-session/binary/etc/p...
Although I suspect some IT drone would be less enthusiastic when reviewing the chat logs when it’s picked up on heuristics
1. Create dodgy looking URL
2. AI in Gmail spots link, blocks it.
3. Blocked link is spidered for more information automatically
4. Link resolves to website
5. Website black-listed
https://www.cyber.gov.au/business-government/asds-cyber-secu...
that is just binance.com lol
https://pc-helper.xyz/root-exploit/virus_loader_tool.exe?id=...
I reported it for phishing and I kid you not, less than 30 seconds later I got a response "Email is not suspicious"
What do you MEAN email is not suspicious? This is the most suspicious email I have ever received!
If you copy the generated url and put it into the entry field (and repeat) then you end up at a bitcoin site. As Bubblerings has pointed out that has malware.
Uh, what? I just tried it a few times, and it seems to just follow the redirect each time, always ending up back at the original target URL I entered. How many times did you have to "repeat" to make that happen?
> As Bubblerings has pointed out that has malware.
No, that's not what BubbleRings said. BubbleRings said one site on VirusTotal reported it was malware. That sounds like a false positive because the URL is fishy, which is the entire point of the joke here.
And this madlad posts this at Friday.
GG HF, SOC people :D
im sry, did i miss the part on how you can hack someone by simply sending them the link? is the web seriously that bad? honestly at least do full job and create some phishing website that goes along, otherwise wtf?
"Just fuck me up fam!"
You had me spraying coffee by that point
All the funnier trying it with links to community church services (baptist no less).
Google uses it for its Alphabet Investor Relations site: http://abc.xyz