[MattGaiser]

Is detecting phishing all that straightforward? As banks, travel agents, and even governments, are all terrible at avoiding the signalling of phishing.

Equifax had its entire response to its breach on a different domain, the kind of thing we tell people to watch out for.

https://www.equifaxsecurity2017.com/

This looks like phishing. But it is legitimate.

[heipei]

It is not straightforward, and it is complicated by a number of factors. The first would be bad "brand hygiene": If a company has dozens of legitimate domains across different TLDs, different providers and different geographical locations then it's already more complicated than just one canonical .com domain. If teams within the company are permitted to spin up their own domains (e.g. marketing campaigns, branch offices) then it gets 10x worse. Lastly if a legitimate brand frequently changes its appearance, it will be harder to pin down the true brand identity.

But even if you follow all of these best practices there are still powerful attack vectors. A threat actor could host their phishing page on an unrelated (compromised) domain with good domain reputation, in that case you wouldn't even know about that site until the first email or SMS hits your customers. Or the threat actor could use one of the many file-hosting or website services to create their site and host it on a shared third-party domain with perfect domain reputation (e.g. amazonaws.com).

And then there's incentive: It's no the companies that suffer financial losses, it is their customers. If you were talking about their employees being phished that would be a different story. Same thing for Google Safe Browsing: Their incentive is to protect against most of the obvious phishing, without any false positives, ever. If they are slow to detect something they won't suffer any losses. If they generate a False Positive their Chrome browser might suffer significant reputational damage if a popular legitimate domain is blocked.

[bartvk]

Vattenfall (a big Swedish energy company) had the same for a while. Their marketing created a website where you could log in as a user, on a completely different domain.

Most have been fixed but my current pet peeve is receiving email newsletters from these companies with tracking links. I get it, you're trying to measure something. But they're genuinly sending you links like sx4pv.mjt.lu/lnk/EEEAAAA-3434-asdfasdfasdf

[sureglymop]

Even tech companies do this wrong. Github had it's upcoming/beta features on githubnext.com and even sent out auth related e-mails from there. I wanted to test their new features but when I got the email I lost my faith in them and opted not to.

[cameronh90]

DHL sent me a shipment tracking email from "dhlecommerce.co.uk" the other day. I almost deleted it, but then I remembered I was actually waiting for a package.

This is a huge issue and it seems like we've just given up on it. There used to be EV SSL certs, but they are essentially dead now. There's BIMI for email, but support is mixed, and only partly addresses the issue.

[ecosystem]

Indeed. They haven't learned their lesson.

AT&T finally copped to enormous breach this month. In their notification to individuals (sorry, sign up for identity protection, etc), they made sure to let you know official email always comes from: att@message.att-mail.com

...an email address and subdomain that have never contacted me before on a sketchy sounding domain that doesn't match the service (hosted at https://att.com). The email links to experianidworks.com which asks for email, address, and SSN upon clicking the CTA.