Generally no-- the payload typically comes from some sort of interaction (click a link, open an attachment, reply to the message). There have been some zero interaction attacks with emails before. Like for example, when the email is previewed in the reading pane in Outlook. These are exceptionally rare and not what we’re training against when we do phishing training.
That said, if you know an email is phishing it’s always best to not interact with it at all, but you really can’t always tell by the sender and subject line alone.
It also depends if your client downloads embedded content (images) by default.
(For example, a publicly hosted email signature image, rather than an image attached to the email).
In the case of using the preview pane, there’s a subtle case of displaying external images (img src in HTML) where an attacker can get an idea of what content is getting past email filters. The client will just download the image automatically, and the attacker’s webserver logs the activity. I think that can be turned off in various email clients, but folks have to be savvy enough to know to do it.
Generally no-- the payload typically comes from some sort of interaction (click a link, open an attachment, reply to the message). There have been some zero interaction attacks with emails before. Like for example, when the email is previewed in the reading pane in Outlook. These are exceptionally rare and not what we’re training against when we do phishing training.
That said, if you know an email is phishing it’s always best to not interact with it at all, but you really can’t always tell by the sender and subject line alone.
It also depends if your client downloads embedded content (images) by default. (For example, a publicly hosted email signature image, rather than an image attached to the email).
In the case of using the preview pane, there’s a subtle case of displaying external images (img src in HTML) where an attacker can get an idea of what content is getting past email filters. The client will just download the image automatically, and the attacker’s webserver logs the activity. I think that can be turned off in various email clients, but folks have to be savvy enough to know to do it.
Doesn’t thunderbird by default not download external images?
Also if I was working IT for some company I would make sure all email clients were configured that way.