@BraswellJay said in Email phishing attempt against one of our vendors was successful ...: Enough to sting but not crippling to us or the vendor involved. Thankfully!

@manxam said in Phishing testing / awareness / training suggestions?: MSPs can only purchase Platinum or Diamond I was told, and at a minimum of 101 seats @ MSRP -20%. So, a minimum spend of $2400 CDN for us and $3000 for the customer for their "recommended" tier (platinum). Does the old adage apply here? "Gotta pay to play"...? Well if you are approaching as an MSP, this is to be expected. You are assumed to be reselling the service. This is the only thing they allow to be resold. You as the MSP buy 101 licenses and resell 10 each to a few clients at MSRP -5%.

Thanks a lot I'll read that soon.

If you ever need to report a Microsoft partner for ethics breaches, you can email [email protected]

@coliver said in Smart Phishing Spams worrying me: This is called spear phishing or targeted phishing. There isn't much you can do about it from a technical perspective. Train your users is about the only option. That's really the case. The thing about spear phishing is that it is all but impossible to conidently detect unless you are the human recipient and can verify the details in some other manner.

There is a blacklist that all CA's have on high dollar domain names to prevent major fraud. LE cannot issue for something.microsoft.com or something.bestbuy.com for example. But the sub domain names used in these PayPal examples are all outside of that. They are all on valid (ish) TLD.

@dafyre said in Actual Malicious LinkedIn Emails: @ChrisL said in Actual Malicious LinkedIn Emails: @dafyre said in Actual Malicious LinkedIn Emails: @ChrisL said in Actual Malicious LinkedIn Emails: I would always hope that someone isn't naive enough to think that a major financial institution with their contact info on hand would reach out to them through LinkedIn. Buuuuuut, I've been wrong before. Nah... Why would they do that, when they could impersonate a family friend and try to tell me that I won 150k from a non-existent government agency. Congratulations! Can I give them your bank account numbers? We can split the winnings. I was afraid you'd never ask.

Very cool, looks like a good tool.

@stacksofplates said in OWA is vulnerable to Phishing: @scottalanmiller said in OWA is vulnerable to Phishing: @aidan_walsh said in OWA is vulnerable to Phishing: @Breffni-Potter said in OWA is vulnerable to Phishing: Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway? Same again for the banking website. Thats exactly what happens. You'd be surprised at what passes for phishing attacks, and how many people fall for them. I've seen ones that have asked people "for security purpose" to enter all 50 4-digit code card entries, something a bank would obviously never do. And yet... Partially that's because real banks have done that traditionally. Like AMEX. I needed a password reset and they asked all of the info on my card, other than my name and expiration. Yeah, it definitely still happens. And I've had huge security gaps that I've told a bank was not secure and they didn't care. I said... I literally have no means to tell if you are really my bank or not and they are just like "so, we don't care."

Tagging @stus

@Reid-Cooper somebody once said... "bow ties are cool"