upvote
"Theoretical" becomes "pretty much guaranteed" if standards sink low enough - the more effort you put in, the more problems you ward off.

Sort of like how a lock can be picked in 30 seconds, but still deters 90% of crime - a lot of criminals are just searching around to find out who is vulnerable, and most every company has something that's worth at least a bit (even if it's just stealing $500 laptops instead of breaching the network)

reply
Imaginary country called Nicha can’t buy lithography machine from imaginary company called SAML. Nicha can kidnap some scientists and torture them to get all the secrets. But it’s not elegant. Nicha can pay a lot for hacking and get the result in anonymous way. I guess 8 figures can be paid easily for these secrets. With that money “red team” can launch very nice multifaceted social hacking attack.
reply
> Theoretically, someone could craft a perfect phishing attack, but who would go to all that trouble? Spray-and-pray, low precision, high surface area, attacks are the ones I end up reading about.

I've been at a company that was well targetted. I forget which group it was, but they were got into a lot of customer service sites that week; not ours, but we had some near misses. Almost got me, sent me an email from the boss with 'The blog is down' and a link ... I was checking my mail on mobile as I was out the door, but of course mobile doesn't show any useful headers like from address.

reply
I remember at some point Google disallowed more phishing attacks from red teams. Nothing new was being learned. They always work.
reply
> But who would go to all that trouble?

I mean, a company I worked at had a significant amount of money stolen after the attackers spent 6 months sitting on their access waiting for the right moment to fake an (expected) reply to an email exchange. The original breach (or at least the breach of this executives account) involved a very targeted phish. When the potential payout is millions it justifies a lot of effort.

reply