Re: HTML email is in itself a security hazard
> 10 minutes after that came a request for information sent to ALL staff asking for personal information on a form at www.office365.com/something, ie not even our own hosting. Both were confirmed by my boss as genuine company emails.
I once worked for a large email security SaaS company (who frontend the mailservers for a lot of very large/important companies around the world). About a month into the job I received an email from some external domain containing a link (again external) whih the email said to go to and login with company credentials for online training... I ignored it. A couple of weeks later I received an internal email (from HR?) informing me that I had not yet completed mandatory security training, I relied that as I had ignored the previous (external) email I assumed I'd passed as it had looked like a phishing email. Eventually with a bit of back and forth with different departments it was admitted that whilst it looked like a phishing email (and that no-one was ever notified to expect such a "valid" email from that domain) that is was indeed a valid email from the 3rd party online training company that they used and if I did not follow the link to complete the training I would lose my job. Very much a case of "do as we say, not as we do".
Also when starting at the same company I was given a laptop with a docking station and wireless keyboard and mouse. A couple of days later I pointed out to the IT guy on-site that it was Microsoft's *unencrypted* wireless keyboard and that the encrypted version didn't cost much more. I also showed him a website with a simple hardware diagram (about $20 of parts) and provided software to log keystrokes from these keyboards from approx 10m range (using a "cantenna"). I then pointed out to him the *public* car parking spaces down the outside wall of our building about 2m from my desk where anyone could potentially sit with such a logging device - he was visably unimpressed and unconcerned.
Apparently about 2 years later they finally switched to encrypted wireless keyboards...
Then again the local office of another well known IT security company (known for their opensource pentesting toolkit) have had this office broken into at least twice and on each of the 2 or 3 times I was there for MeetUp events there was no-one manning either their office door or their main officefloor and so I, like everyone else, walked through their openplan office, past whiteboards with company info on them, past multiple desktops (easy to quickly install a physical keylogger) to get to/from their conference room around the corner of their L-shaped building floor (and so their conf room was out of sight of their office). Security? They've heard of it...