A phone call from Microsoft about my Norton anti-virus subscription putting me into debt that can only be settled with Nintendo gift cards bought in cash across 16 specific gas stations seem much more legitimate in comparison.
Most people are never going to check the links no matter how much you ask them to, and even if they did they wouldn’t know what to check for. But the tool Microsoft give you to check a link before opening it is that awful URL rewriter, which prevents the small minority who would check from being able to.
Similarly those flashing cmd windows are usually automatic update processes that Windows has no way to hide. Even some drivers that MS distribute through Windows Update do it. We could turn automatic updates off, but then nobody would update their software.
IT is rough because you’re often stuck between a rock and a hard place. On the one side you have users who don’t want to change their behaviour, on the other side you have industry leading vendors, that the SLT insist on using, that make it impossible to do the right thing or put the right thing on an Enterprise plan that the budget won’t permit. Then to top it off, there are usually compliance and insurance breathing down your neck forcing you to implement questionable best practices from the 90s, so you just have to do your best to limit the damage.
The flashing cmd.exe windows are not drivers from Windows Update - this could have been the case as drivers shipped with Windows Update is a total security nightmare running arbitrary code with administrative privileges upon hotplug - but in this context of managed devices, commonly from HP or Lenovo's corporate portfolio, it's usually additional products and changes pushed by group policy or random management software.
The often changing user prompts, looking like they were from some early 2000's hello world example, come from obscure and overlapping management software they remotely deploy which they change at will. You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update. You don't need a proprietary solution to prompt users and manage Windows Update, because you have... Windows Update.
The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.
Corporate IT uses emails services that spoof domains and look suspicious, reversing all the phishing training they paid for.
Not to mention that Corporate IT might deploy network-wide solutions like Cisco Umbrella, which is a TLS Man-in-the-Middle attack where you install their root CA on all machines and let them control DNS to randomly redirect all traffic to their servers, effectively undermining the basis of all modern web security for the entire organization.
In general there's a fetish for buying products that has significant negative impact to security, user experience and possibility of training users, usually for the purpose of feigning progress and meeting some targets. Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot. I'm sure that's not a security problem!
My current employer was somewhat recently purchased by a large, publicly-traded company and I had this installed on my work machine. Suddenly DoH was forced off by administrator policy and I had to use some specific internal IP for DNS. Which isn't strictly less secure but let's just say I would, even for my large, publicly-traded business, trust Mullvad more than Cisco.
IT is basically being a system integrator with a load of systems that don't want to integrate. Corporate don't accept no for an answer. You need to bend things in ways they don't want to bend to get them to fit.
> The flashing cmd.exe windows are not drivers from Windows Update
The first thing I do with any new corpo laptop is completely wipe it down to the firmware, and clean the drive entirely to make sure the stench of Dell, Lenovo and HP is as cleansed as it's possible to be, then install Windows from a fresh ISO downloaded straight from Microsoft.
Then a few hours after reinstalling Windows again, the Lenovo shitware drivers are back. Not the software suites, at least, but the crappy drivers that throw up cmd prompts and have un-suppressible dialog boxes telling you to update the BIOS but look like malware and ask for the admin password. Check Windows Update and it will show that it has installed a bunch of stuff like "Lenovo - System" and "LG Electronics - Extension".
Recently there's a push to dropship directly to customers and use Autopilot, with some vendors now offering "Corporate-Ready" images, but most IT depts still prefer to get hands-on first because of how flaky that is, plus even the corporate ready image still comes with shitware, just less of it.
But anyway, even assuming it isn't coming via WU, and is one of those Lenovo bootkits, what else are we to do? Half the laptop won't work without drivers. Most of the other laptop manufacturers are aimed at gamers and fall apart in about a year. More recently I've been trying to move towards Microsoft Surface devices, and have found they're a much cleaner experience on the software, but have been finding the hardware reliability is quite terrible. I'm hoping that Framework's business programme turns out to be a success, but right now there are just no good options.
> You don't need a proprietary solution to remotely upgrade Google Chrome, just specify an enterprise policy with auto-update.
Sure. Chrome can be auto-updated and you have good controls over how that rolls out, so you can designate test users. But it's one of the few bits of software written "properly", including for example a Windows service that can run Chrome updates on behalf of a non-admin user, and they've actually provided GPOs to configure it. Even then it sometimes gets stuck and stops updating. So, we still need something like PMPC/Robopack/PSADT to update all the apps that either have a broken auto-update mechanism or just don't have one in the first place. We would also need to keep the original installer up to date ourselves, and for some software you're talking a day of fixing your manual packaging scripts every month, trying to work out which undocumented flags the MSI accepts, whether they've renamed the registry key they check to disable the non-functional auto-updates this version, etc.
Nowadays, we're starting to see more adoption of things like winget where the vendor themselves are packaging things in a way that is suitable for mass deployment, using a standard mechanism that Windows itself can use to auto-update the apps. This is a massive improvement for everyone, but I'd say only <10% of most corporate/LOB apps are available this way yet. Hopefully over the next few years we'll see more adoption, as this would solve a big chunk of the pain of corporate IT.
One of the worst vendors for writing stuff that doesn't use the standard mechanisms to install or update, incidentally, is Microsoft.
> The URL checker has no valid benefit, and makes it so people can never learn how to do it themselves. The browser performs the exact same checks with the exact same capabilities through its safe browsing stuff, and corporate IT often has network-level solutions too.
Nobody ever does it themselves which is the point. Also, if you're opening it on a corporate computer, current versions of Outlook do actually show you the original URL when you hover.
But anyway let's say we just rely on the browser check: what if it's a developer who's modified their browser settings? What if it's someone opening it from a personal phone? You could get rid of the URL rewriting and just ban users from using personal devices or modifying browser settings, but then you're going to war with senior executives who insist on keeping their work email on their personal phone. Almost all users don't even notice the URL rewriting, but it has prevented quite a lot of phishing attacks on personal devices that may otherwise have been successful. That's a pretty good trade-off for something that almost nobody notices is even happening.
Indeed, network TLS interception which would often have detected stuff in the past, but many corps have moved away from that now because as you point out, TLS interception is pretty crap. It breaks the increasing numbers of apps that use cert pinning, tends to be full of security flaws, and they don't work off-network unless you send all traffic to a central server or deploy it to every PoP, which is rare outside of megacorps, meaning internet experience is slow and flaky. Cisco Umbrella is a big suite with lots of other stuff too, but they do still push their TLS interception. MS advise not to use it, and the weight of opinion is shifting towards using URL protection built into the antimalware stack now, but unless we have full control over all clients accessing email, that doesn't eliminate the use case for URL rewriting.
In any case, this isn't something external we've bought in on top of the standard Microsoft 365 stack, it's part of Defender that Microsoft enable by default in their secure baseline. Going against vendor recommendations is opening yourself up to a big liability if it turns out something gets through that it would have caught.
> Corporate IT uses emails services that spoof domains and look suspicious
You'd be surprised how often vendors just directly email users without you ever having approved it or having been informed that they were going to send an email so you can pre-warn them. Again, Microsoft are one of the worst for doing this (e.g. sending emails from "User's Full Name <no-reply@sharepoint-online.com>"), but Google and Apple also do it.
> Say, they had a ransomware incident, and now they're buying every ransomware product for a few years. Stuff with such buggy kernel code that it deadlocks and makes it impossible to create new processes until you hard reboot.
Any company that is just stacking loads of conflicting antimalware products on each endpoint is clearly incompetent and not something I've seen, and I've seen some pretty shocking stuff.
There was obviously the Crowdstrike issue, but that wasn't as you describe, and as much as I'm not personally a fan of Crowdstrike, that was one major incident it caused, but you're not comparing to the counterfactual where these systems didn't exist and 0days can just spread across the network faster than an under-resourced IT dept can stop them.
I'm unusual in that I moved more into IT and cybersecurity stuff from dev, so you know, I do have sympathy for how shit this can be as a user and a developer. I have a lot of hot takes about the shitty state of technology today and how it trains the users to do dangerous things. But believe me when I say this: if there was a better way of doing it, I would be the first one adopting it. There isn't, though. At least not one open to those of us outside of Big Tech with the budget to essentially write their own security stack.
One is the 'business' one. Mostly locked down, with checks in place.
The other is on a different network, isolated from all business functions, and they can do what they want but must never use it for work data, just like their phones (that everyone knows they use for social media etc. in the day).
Sure, you still have to deal with copying from one to the other (but there are solutions for that if critical, and much easier to secure).
It sounds crazy, but air-gaps are largely proven and it also means that employees feel less oppressed.
Now I realise, even ignoring the cost, businesses won't want this, as perish the thought their employees may do anything other than work. But I suspect it would actually stop more attacks and issues than otherwise and maybe... just maybe.. employees feel as if they're actually human.
Developers are the exception here, where usually they'd prefer to develop on a machine with minimal BS running, even if it means carrying around an ultraportable in addition to their development workstation laptop.
So most of us carted around a work laptop (connected to corp WiFi) a personal laptop (on guest WiFi or tethered) a work phone and a personal phone.
In other news, you should never ever MDM enroll your personal phone with a work BYOD policy.
So we get e-mails from @microsoft.com and it's only if you dig in the metadata that you see it failed authentication. The only tell in the e-mail is checking the URL, which doesn't tell you much because tons of regular e-mails use tracker redirects too. They even send emails from our own domain or the domain of our payroll company.
I won't type out my rant, but our IT department is a few guys who couldn't figure out what to do when their competitive xbox FIFA 2006 dreams failed, heard IT pays a lot with not much work, and then sat through the certs.
I want to live in this fantasy world!
(Our IT dept is so overworked that I go out of my way to work around them purely out of empathy.)
Knowing what I know now about the IT staff and professors and knowing in hindsight only 3-4 of my CS classes were of any relevance to my work, I seriously regret not cheating my way through undergrad. I wish I could take back the time I wasted on Java and spend it with my N64.
Except their system adds extra headers related to the phishing… Wonder if they even know…
Thus, I created an Outlook rule to automatically move them to a dedicated folder… (;->
I'm an European and have never needed to use nor encountered those services.
Not sure if they still do because i stay well clear of them.
Can you give some examples?
Just saying I haven't failed a phishing test in ~10 years.
Now sketchy emails are preceded by an equally sketchy “it’s ok” email from IT.
I'm using Finicky[1] on Mac to rewrite the URL by extracting the original URL from the query params[2].
1: https://github.com/johnste/finicky
2: https://github.com/fphilipe/dotfiles/blob/31e3d18fe5f51b2fd8...
If you really want to check every time someone clicks on a link then you can do this in the client and keep the visible link the same for the end user.
But instead there are different teams working on this in Outlook, Teams, Exchange, Defender and god knows where else.
(I'm one of the people in corporate IT trying to turn this off and often struggling)
1: https://pc-helper.xyz/scanner-snatcher/session-snatcher/cred...
I didn't have the guts to tell my family about goatse.
https://match-heaven.club/trojan/malware_dropper.exe?id=0416...
People kept falling for phishing links though, so they got a Trend Micro device to scan emails, which also rewrote every link in it to point to their URL scanning service, which means every link now looks like https://ca-1234.check.trendmicro.com/?url=...; I guess no one would be allowed to click on any link in an email at that company.
Of course, their URL rewrites also broke a good number of links, so you'd wake up to a production incident, and then have to get your laptop, log in manually to Pagerduty/Sentry or what have you, and look up the incident details from the email...
Handles all the phishing concerns, except that participation was either low or the feedback was negative, which would lead to the leaders issuing subtle threats to the team about how they'd find out the involved folks and fire them. If you tried to uninstall it, it'd be back in a few hours through policy management software (jamf and its ilk). On the internal discussion forums, they'd nuke threads talking about how to disable that software.
So, in the end, people just started giving the best possible feedback regardless of the team or manager performance. I never really needed those threads, all I needed was tcpdump and then blocking its domain in the hosts file :)
That seems to be the best possible strategy for any feedback you have to give as a captive audience?
Reminds me of the feedback German companies are forced to give about their employees. It's like a formal letter of reference, but you can and will be sued if you you anything negative. Consequences are as you would expect.
And because there has been an inflation in how complimentary these letters are, people started suing when their letter wasn't flowery enough, because that somehow could be read as an implicit criticism. (Just like how A is a bad mark, when everyone else gets A+.)
I presume you're referring to "Amazon Connections"?
Had to be the most-hated bit of corporate enforcedware around. Every Linux laptop user had a different hack for hobbling or removing it.
This is getting off-topic, but I found it interesting so I'll include more details anyway.
In a lot of cases, all the fuss is to return amounts that are tiny, and yet the companies need to keep reaching out and trying to convince people. I got $0.06 (2) from my current employer. Because I've moved countries with them, I ended up falling in the category of needing to provide some bank/tax details. Of course, I wanted to log in with the silliest OS I could think of to test/mess with the tracking dashboard, and so somehow I managed to enter my DOB wrong, which even further increased the back-and-forward and emails involved (I was in the project, so the Payroll peeps involved probably didn't hold it against me).
The re-calculation which led to the payment actually worked out that I had been underpaid in come calculations, but overpaid by far more (although still very, very little) in others. The company believed they couldn't offset, so all the fuss was for a tiny amount, which I felt I really wasn't owed anyway. Also unfortunate, was that if any former employee didn't bother to claim the amount because it's so small it's not worth the fuss, it just leads to more work in follow-ups.
New Zealand Holidays Act is quite an interesting area in general, in a how-can-it-possibly-be-this-hard kind of way. I think it contributes to the reputation of NZ payroll being one of the trickiest in the world.
1) https://thespinoff.co.nz/business/27-06-2019/cheat-sheet-wha...
Sounds like something a phisher would do. Better not click.
My company does this too by the way. Usually for external things like surveys they send a pre-email.
They train people not to click links and then someone in management is fucking stupid enough to pull "just send an email with a link" kind of crap instead of properly planning the communication in advance by telling people that there will be a survey, what will be the company that is sending it, when they should expect it - but that just "too much work".
I would fire that kind of clown ass on the spot for not doing their job.
There should be a white hat phishing service you can hire to target your elders. Then when they give up their social security number, someone shows up at their door with a big cake with all their personal details in frosting.
Nothing raises my suspicions quite like something calling itself "safe".
Ah yes, it's like a country having "democratic republic" in it's name - if you have to say it, it's probably not true.
Greetings from AWS,
There are upcoming changes in how you will be receiving your AWS Invoices starting 9/18/2025. As of 9/18/2025, you will receive all AWS invoices from “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”. If you have automated rules configured to process invoice emails, please update the email address to “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”.
This was brain dead. If I saw an email with that sender, I would think it was a scam. They had to walk it back.
For context, I get random other emails about things like Lambda runtime deprecation from “no-reply-aws@amazon.com” which looks a lot more official.
And “aws-marketing-email-replies@amazon.com”
Greetings from AWS,
We recently notified you about upcoming changes to AWS invoice emails (subject “Important – AWS Invoice e-mail address changes”). Based on customer feedback, we are reviewing this change to determine a better customer experience. The email you receive your AWS invoices from will not change on 09/18/2025, as originally communicated, and you will continue to receive all AWS invoices from the usual email address.
Sincerely, The Amazon Web Services Team
I’ve worked for multiple large companies where the annual IT security signoffs look exactly like malicious emails: weird formatting; originates from weird external url that includes suspicious words; urgent call to action; and threats of discipline for non-compliance.
All this money being spent on training, only to immediately lull users into accept threats.
I ended up creating my own browser extension for gmail that blocks clicking on any link unless the domain is whitelisted. Now if I click any link and it's not in the whitelist, it shows a popup that displays the domain name, and I can then choose to whitelist it and then it opens the link, or just keep blocking it. I haven't had to re-take any phishing compliance tests in a long time.
https://url.uk.m.mimecastprotect.com/s/<random_string>?domain=<domain_name>
If anyone complains, refer them to the security department to be audited. It's really rather suspicious when someone values doing their job above security.
1. Make a site like this.
2. Wait for people to try it out with an URL that goes to a significant site (bank, social media, email, etc.)
3. Allow a bit of normal use, then secretly switch the link so that further visitors land on a corresponding phishing site.
4. Having just dismissed a bunch of "obviously fake" warning signs, people may be less alert when real ones arrive.
Of course with the millions of websites available I couldn't think of one specific one, so I just held down the "x" key and then pressed CTRL+ENTER (which automatically added "www" and ".com" to your entry - typing this on a mac I see it still works with Firefox).
Of course www.x(and a few more x).com was a porn site.
Of course there were a bunch of people (including customers) sitting in reception (and the receptionist herself) who could directly see the screen.
Of course the PC was running nothing else, so a quick alt+tab didn't hide anything.
I announced that all was fine and ran for my desk.
Usually use company-i-buy-from@mydomain.ninja whenever I make online purchases, and I had a guy from a small shop call me up and ask why I had an email with his company name on. Took some good fifteen minutes to explain him that I was legit and owned the domain. He was still reluctant in the end, but eventually ended the conversation with something along the lines of "it's your problem, not mine, if the parcel won't reach you for using a fake email" :)
That said I've caught and blacklisted quite a few bad actors this way, AND filtering is easier. So worth the occasional weird interaction.
then to ${my_initials}${random_few_digits}@${my_domain} to be able to hand out pre-generated email addresses of mine even offline, and bookkeep who has got which random number at my side internally.
this raised the least eyebrows so far.
The funniest experience was when searching a VoIP provider. One had it in their terms that their name must not be part of the email address. Well, no chance to get my business then.
Never going to know what reaction I'm going to get.
Hilarious, this is great.
We have something that makes genuine links look malicious at work too.
I think it’s called Microsoft Safelink or something. Its purpose is to go through your Outlook inbox and obscure the origin of every link because, obviously, being able to understand what you’re clicking on is bad.
Remember kids, no one ever gets fired for buying Microsoft. ;)
Not sure if that's really a safe links problem, but it's super annoying.
also ProofPoint filtered links
https://cam-xxx.live/trojan-hunter/evil-snatcher/malware_cry...
EDIT: hehe got one https://news.ycombinator.com/item?id=45297475
Also, we were thought to inspect the URL before clicking on it.
Except that the spam system they use completely mangles the URL...
I hate this trend. Like an overused pool of the same "Secret Questions" every company asks, it needs to be on some "X considered harmful" list.
I'm not sure how many companies that would happen at, but it seems... just dumb enough to be plausible.
Not great when you're on the phone with United Airlines and the person who's trying to help you get un-stranded asks what your favorite ice cream flavor is.
United has the absolute stupidest secret questions.
my high school mascot? fish-car-base-picture((#$#$&#*4303483
Here:
#!/usr/bin/env python3
from urllib.parse import urlparse, parse_qs
from sys import argv
print(parse_qs(urlparse(argv[1]).query)['url'][0])
(For a different domain).
Since you can't exhaustively enumerate every good thing or every bad thing on the internet, a lot of security detection mechanisms are based on heuristics. These heuristics produce a fair number of false positives as it is. If you bring the rate up, it just increases the likelihood that your security folks will miss bad things down the line.
In the meantime, does anyone else get a kick out of receiving emails from quarantine@messaging.microsoft.com where they quarantine their own emails?
Edit: I see other people said things that are similar to a more mature version of my feeling. We need to address this in a way that addresses the threat of email links properly, not throw machine learning at guessing which are OK to click. BTW, I'm not implying that you're saying that is what should be done to solve the issue, but I'm sure it's behind the silly MS quarantine I mentioned, and when an email from the one person I email the most, who is also in my contacts, going to spam in iCloud.
The other 10% are people who are just like you and know better.
I think that guy would get a kick out of using this for his pranks.
> https://pc-helper.xyz/usr/libexec/gnome-session/binary/etc/p...
Although I suspect some IT drone would be less enthusiastic when reviewing the chat logs when it’s picked up on heuristics
1. Create dodgy looking URL
2. AI in Gmail spots link, blocks it.
3. Blocked link is spidered for more information automatically
4. Link resolves to website
5. Website black-listed
https://www.cyber.gov.au/business-government/asds-cyber-secu...
that is just binance.com lol
https://pc-helper.xyz/root-exploit/virus_loader_tool.exe?id=...
I reported it for phishing and I kid you not, less than 30 seconds later I got a response "Email is not suspicious"
What do you MEAN email is not suspicious? This is the most suspicious email I have ever received!
If you copy the generated url and put it into the entry field (and repeat) then you end up at a bitcoin site. As Bubblerings has pointed out that has malware.
Uh, what? I just tried it a few times, and it seems to just follow the redirect each time, always ending up back at the original target URL I entered. How many times did you have to "repeat" to make that happen?
> As Bubblerings has pointed out that has malware.
No, that's not what BubbleRings said. BubbleRings said one site on VirusTotal reported it was malware. That sounds like a false positive because the URL is fishy, which is the entire point of the joke here.
And this madlad posts this at Friday.
GG HF, SOC people :D
im sry, did i miss the part on how you can hack someone by simply sending them the link? is the web seriously that bad? honestly at least do full job and create some phishing website that goes along, otherwise wtf?
"Just fuck me up fam!"
You had me spraying coffee by that point
All the funnier trying it with links to community church services (baptist no less).
Google uses it for its Alphabet Investor Relations site: http://abc.xyz