u/littleko — reddlx

Rant: QR-code phish in forwarded screenshots are making mail filtering ridiculous

The worst email lures in our queue lately are not clever links. They're a screenshot of a fake login or benefits message forwarded from a phone, with the only URL buried in a QR code inside the image.

Now the mail gateway has to OCR a mobile screenshot, find the QR code, resolve it, sandbox the landing page, and still decide before the user opens it. Half the time the text is compressed, cropped, or wrapped in some "scan this to view secure message" nonsense.

This is the part that annoys me: the attacker moved the URL out of the MIME structure entirely. No href, no attachment exploit, no sender auth failure to hang a decision on. Just pixels.

Users are also trained to treat QR codes as normal because every restaurant, invoice portal, and event check-in normalized them. Asking a mailbox control to infer intent from a blurry forwarded image feels like we turned email security into document forensics.

end of rant

reddit.com

u/littleko — 13 hours ago

▲ 3 r/EmailSecurity

User memory is useless for mailbox compromise scoping

When an email account gets popped, I start with Exchange Online message trace and audit events before I ask the user what looked weird. Their timeline is usually fuzzy, and the inbox has often been cleaned up by the attacker or the user by then.

My first pass is boring: inbound lure, successful sign-ins, MailItemsAccessed, inbox rules, sent mail, deletes, forwarding, OAuth grants, then message trace for who else got hit.

The user interview still matters, but I treat it as a lead source, not the source of truth. Logs first, feelings second.

reddit.com

u/littleko — 4 days ago

▲ 5 r/EmailSecurity

Browser-in-the-browser phishing is not the scary part

I keep seeing browser-in-the-browser kits treated like the scary leap, but the nastier thing in my logs has been one-time URLs that burn after the first fetch.

If the gateway sandbox follows the link first, the user gets a 404 later; if the user hits it first, the sandbox gets nothing useful on replay.

That breaks a lot of the neat “just rescan the URL” logic people assume exists. I’d rather spend time on click-time telemetry and redirect chain capture than arguing about fake browser chrome.

reddit.com

u/littleko — 6 days ago

▲ 4 r/EmailSecurity

On-prem Exchange gets another crafted-email problem

On-prem Exchange admins apparently get another crafted-email bug to patch before coffee.

Spoofing via XSS with active exploitation is exactly the kind of Exchange sentence nobody wants to read in 2026.

https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

u/littleko — 7 days ago

▲ 617 r/ASX_Bets+1 crossposts

Minimum of 30% tax on capital gains

https://budget.gov.au/content/factsheets/download/tax-explainers-negative-gearing-capital-gains-tax.pdf

really dampens the effectiveness of any long term buy and hold until retirement/low income strategies. What's everyone's thoughts..

reddit.com

u/bruh_nathan — 10 days ago