back to article Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign

Criminals behind the cyberattack attempts on Twilio and Cloudflare earlier this month had cast a much wider net in their phishing expedition, targeting as many as 135 organizations — primarily IT, software development and cloud services providers based in the US. The gang went after the employees of Okta customers, sending …

  1. Norman Nescio Silver badge

    Mail client fail

    Sigh.

    Yes, anyone with any nous knows not to click on links in emails.

    Any organisation with nous knows not to send official (or even unofficial) emails with clickable links.

    But email clients encourage you to click links, because they render HTML emails, and your muscle memory from using web-browsers is that clicking links is safe.

    The email clients should not allow links to be clicked in emails. Doing so should give a pop-up saying that clicking links in emails is highly inadvisable, and preventing follow through.

    As long as emails render HTML with active links, people will click on them and get phished. It is not a people problem, it is a technical problem. Just. don't. make. links. in. emails. active.

    NN

    1. Anonymous Coward
      Anonymous Coward

      Re: Mail client fail

      > Any organisation with nous knows not to send official (or even unofficial) emails with clickable links.

      Ha! I work for a large US firm that owns multiple cybersecurity companies, corporate send out HTML emails stuffed full of clickable links every day.

    2. Falmari Silver badge
      Thumb Up

      Re: Mail client fail

      @Norman Nescio "The email clients should not allow links to be clicked in emails."

      Exactly there should be a setting to disable links. The setting could have options to add certain addresses to a whitelist so their links would work. But at the very least there should be an option to disable all hyperlinks.

      Maybe that option exists in some email clients but I have not found that option in MS Exchange.

    3. IGotOut Silver badge

      Re: Mail client fail

      The stupid thing is ProtonMail does exactly this (unless you decide to override it), so it's not like it's hard to do.

      If you click a link, it displays the entire url and says "Are you sure you want to do this"

    4. Robert Carnegie Silver badge

      Re: Mail client fail

      If "clicked links open Internet Explorer, which has been deleted from the workstation, so nothing happens" counts as protecting your users - I've seen that.

  2. JimmyPage Silver badge
    Big Brother

    How hard can it be

    to configure an email client to not render links clickable, and to also display the href in plaintext in the message so the user can see what's going on.

    Probably no harder than it would be to have a config setting that prevents (or at least warns) when the "To" list has more than (for example) 100 email address in it.

    ?????????????????????????????????????????

    Not hard at all.Which means the ongoing absence of such features has a whiff of conspiracy about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like