[raxxorraxor]

Sensible for the users that really download and execute attachments from the most obvious spam mails. The only protection you have is to put these high threat users in a separate subnet and use some antivirus to scan everything they download. At least that offers some protection. Not possible to scan downloads with TLS.

Although I still think that breaking it up is a very bad idea in general and it is appalling that this became common practice. Especially because there are exceptions where it fails and you train users to just disregard TLS errors.

Even worse, the IT security industry shamelessly uses the data to spy on employees. For that alone it deserves its bad reputation. Still, there is no real solution to shield data from the the most careless users.

[denton-scratch]

> put these high threat users in a separate subnet

Ideally a subnet belonging to one of your competitors? I thought that nowadays only very ignorant people follow links or open attachments in spam emails. Certainly all the spam I've seen for a few years has been as plain as the nose on your face: only an ignorant person would mistake it for ham.

[dhosek]

I did almost get caught in a scam—email appeared to come from CEO in my medium-sized company (so it wouldn’t have been out of place to hear from him). First email simply said, do you have a moment to chat, second was, fortunately, an obvious scam request—“can you buy some gift cards for a client?” but everything was disguised enough that I might have gotten caught with a better-conceived spear phishing attack.

[raxxorraxor]

Companies get pretty sophisticated spam. You only need one compromised supplier and they have your names and usual mail format and just sneak edit some links to lead to compromised sites. But yes, some users also fall for the pretty obvious crap.