On 9/25/20 11:26 AM, Jay Hennigan via mailop wrote: > Even before the phishing became overwhelming they were a significant source > of spam, primarily "targeted" via purchased lists. For at least the past six > months the phishing has been overwhelming. While they claim to be working on > the problem the evidence shows otherwise.
That's because, IMO, it's a fallacy to assume that compromised accounts are mostly due to phishing. Password reuse combined with automation by credential stuffers is the main culprit. Organizations need to diversify their focus a little away from inbound threats and towards (1) multi-factor/higher-trust authentication and (2) aggressively resetting passwords based on suspicious login activity. I would bet that Sendgrid knows this, but they are challenged with both, given the type of users they deal with. It would be better if companies like Sendgrid wouldn't even prompt their users to create passwords because it's too common for users to reuse passwords (and variants) that attackers know. Instead, they should rely on OAuth or SAML. I think that the reason they don't is because it's easier to ask users to create email/password combinations; lest it would interfere with their go-to-market strategy. Perhaps an alternative would be to randomize the username (and don't use the email/domain without the domain owner's consent) which would make it difficult for attackers to know the username in their credential stuffing attacks, plus it would encourage users to learn how to use a password manager. Worst case, it just means that people forget their username and have to ask for an email reminder every time (which is a sort of poor-man's MFA) Jesse _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop