Baltimore City Government Computers Taken Over by Ransomware Hackers

[barbos]

$3mil? It's a nice gig to have - go around and tell people it's their own fault for getting hacked and then be paid.

$3+ million over 30 years is roughly 100k a year, about a mid-range salary for a Developer around here, definitely not out of the ordinary for IT security.

I know that, it's just I think that your average 100k security people are useless waste of money.

I actually agree with Gun Nut on much of what he says, though he tinges it with a good dose of sarcasm when making statements like:

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

It is extremely difficult to protect users from themselves, and it is generally their fault when they get caught up in a phishing scam. The security team in my IT organization occasionally run security tests by sending out carefully crafted fake phishing emails, and some of the IT professionals here who should know better, inevitably fall for it.

must be demented ones according to Nut

The only thing they can really do about it is to educate everyone after the fact,

No, not the only thing. There are number of things on service side which can be done but are not being done.

and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.

 

[KeepTalking]

I know that, it's just I think that your average 100k security people are useless waste of money.

I actually agree with Gun Nut on much of what he says, though he tinges it with a good dose of sarcasm when making statements like:

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

It is extremely difficult to protect users from themselves, and it is generally their fault when they get caught up in a phishing scam. The security team in my IT organization occasionally run security tests by sending out carefully crafted fake phishing emails, and some of the IT professionals here who should know better, inevitably fall for it.

must be demented ones according to Nut

The only thing they can really do about it is to educate everyone after the fact,

No, not the only thing. There are number of things on service side which can be done but are not being done.

and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.

Okay... so, how about this scenario:
An IT professional receives an email purporting to be from their HR department, and it is a pretty damn good one with no misspellings and it utilizes the actual name and title of a known person in HR. That email simply directs the recipient to click on a link, clicking on that link launches an attack. Is that a phishing attack, or one of those problems that you claim was solved long ago? If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?

 

[barbos]

I know that, it's just I think that your average 100k security people are useless waste of money.

must be demented ones according to Nut

The only thing they can really do about it is to educate everyone after the fact,

No, not the only thing. There are number of things on service side which can be done but are not being done.

and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.

Okay... so, how about this scenario:
An IT professional receives an email purporting to be from their HR department, and it is a pretty damn good one with no misspellings and it utilizes the actual name and title of a known person in HR. That email simply directs the recipient to click on a link, clicking on that link launches an attack. Is that a phishing attack, or one of those problems that you claim was solved long ago?

It's a problem which was solved long time ago by sandboxing unknown code. In fact all code can and should be sandboxed, and I understand android and IOS use it to some extent.

If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?

You can read wiki on phishing, they have few solutions, one with forcing user to select image from a set seems pretty bulletproof.
And I just spent 5 minutes and devised another solution where you simply forbid sending passwords over Web and use hashes instead, and hash them with something which would be hard for an attacker to spoof for example IP and of course hash it with random message from the server of course so that even if the attacker manages to spoof IP (I don't see how it can be done especially if user
use direct connection) he would have to do everything in real time, in other words no ability to store credentials for later use.

Then browser can hash credentials it is about to send and compare it to database of sites it was sent to before and insist on user using bookmarked address instead. And of course refuse to send hashes/passwords to sites which are not "secure"

Oh wait, it all depends on user being able to distinguish between ordinary input field and input field for password. and we know already we can't be sure of that at all.
Ok , how about hashing all input fields and checking with database. that way browser can detect plain password is about to be sent somewhere and refuse to do so.

 

[Gun Nut]

I know that, it's just I think that your average 100k security people are useless waste of money.

I actually agree with Gun Nut on much of what he says, though he tinges it with a good dose of sarcasm when making statements like:

The only reasonable solution is just saying, "no, that link is unknown to me and I have better things to do than just 'see what might be there'"

It is extremely difficult to protect users from themselves, and it is generally their fault when they get caught up in a phishing scam. The security team in my IT organization occasionally run security tests by sending out carefully crafted fake phishing emails, and some of the IT professionals here who should know better, inevitably fall for it.

must be demented ones according to Nut

The only thing they can really do about it is to educate everyone after the fact,

No, not the only thing. There are number of things on service side which can be done but are not being done.

and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.

<sigh>

Phishing is the delivery mechanism. Execution of code is the attack. If you allow your users to execute code (aka - using the computer to do anything but hold the desk down) then the focus is on halting delivery, not making your computer read your mind (did you really want to give that site your password? Oh you did? no?).
Email controls stop way more than you are aware of. Average Enterprises drop (not even quarantine - just ignore) 80% of all messages received. EIGHTY PERCENT of all messages. How much more do you expect them to block for you??? At some point you just have to say, "I put your shoes on for you. I tied them. I taught you to walk. I showed you where the dogshit is. I prohibited you from going to the places where most of the dogshit is. I helped clean up a lot of the dogshit. Pretty please, with dogshit on top, stop jumping around in the occasional piece of shit just for fun"

edited to add...

Worthless security professionals? You need us more than you even understand, Mr. Dunning Kruger.

 

[Jimmy Higgins]

Or logging into a system your username and password because your "IT head" told you to update your information. Typically, the email sent doesn't read.

Hello, this Boris... your IT scam provider.

We need you to log into fake human resource site in order we get your login and password to upload ransomware software.

Please do not call me on phone, I'm busy in other office.

Boris Badinov
Not Head of IT at Your Company

Heck, even email is letting a bunch of phishing scams in again, as the phishers have managed to make the scanners think that you really have let your prescription lapse at the pharmacy.

So is that a "yes", you would open the door for the man in the ski mask because it SAYS "girl scouts" on it? Just like the email SAYS it's your IT guy (who never contacts you that way, and you company never needs you to "update your information", and the email address it came in from isn't even close to looking like a corporate address).

I've seen a few cases of internal emails being compromised somehow. And yes, there are ways to sniff it out, especially if one is vigilant. But this whole idea that the equivalence is letting a person who is clearly a robber in to your house is ridiculous. These things wouldn't work if people didn't fall for them for one reason or another.

I could ask you, "how does your company help you manage your identity".. and sure as fuck you won't say "they send us emails from external addresses, loaded with vague at best information and broken English grammar". Paying more than 1 second of attention to these is you being a poor employee. And before you complain that you are not a computer expert...

Well, you can stop there because I understand how scams work. I'm extremely hesitant to launch attachments unless I know who sent me something and I was expecting it. This isn't about me, this is about how some people who aren't as computer savvy in the mind or too busy to notice what they are doing. Not every scam is in broken English.

 

[Gun Nut]

Okay... so, how about this scenario:

Great.. good idea... lets walk through it.

An IT professional receives an email purporting to be from their HR department, and it is a pretty damn good one with no misspellings and it utilizes the actual name and title of a known person in HR.

what do you mean "utilizes the actual name"? Like the 3:00AM girl scout cookies at your door with the ski mask? They use the ACTUAL NAME... Girl Scouts. That's authentic. Girl Scouts are REAL. This would be called a Spear Phishing attempt. It's phishing, but highly targeted to the recipient (using an employee's name they pulled off of a Google search.. and then read their blog about the conference they attended... and then mention the conference in the email.)

That email simply directs the recipient to click on a link

Is that how your company manages HR communications.... "here - click this link", with no context whatsoever? No introduction as to what to expect. No proprietary information or context that is even vaguely familiar..no branding... no reference to a memo or a project... nothing... just a link, ey? Well that company is training employees to just blindly click shit, then... and they are creating / reinforcing idiot activity.

, clicking on that link launches an attack.

That would be the company failing to patch a vulnerability, or it's a zero day (previously unknown vulnerability). This is rare (like once a decade rare) and in neither case would be the employees fault beyond having clicked the link in the first place. More commonly, the link presents a form that is asking for a password, and that is all they want. If your company has horrible Identity and Access management where the employee has to remember 10 passwords that they have to enter all over different places all day, then, again, the company is creating idiot users. If descent, simple SSO is setup, like Active Directory affords, then users should see the form and just laugh at it (actually, they should never see the form because the phishing attack should (almost) never be successful).

Is that a phishing attack, or one of those problems that you claim was solved long ago? If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?

The "attack" is in two parts... the delivery mechanism, and the payload. The payload should never have a chance to deploy. and no... nothing was "fixed" a long time ago.
Maybe he is thinking of the Java sandbox that never fixed anything, but instead gave some people a false sense of security. Java is so insecure that after years and years of patching, it has simply been abandoned. The concept of a sandbox is good... but when you can only play in the sandbox, you only get sand. not good for an enterprise with complex integrations and collaboration tools that are needed to conduct business.

If you do one single thing to protect yourslef and your company... just one simple thing... then that thing should be to check the incoming email address of every single unsolicited email you receive. Just look at it. NOT the name. the address. Especially the part just to the left of the last dot...

APerson@google.hackersparadise.com <- this email came from "hackersparadise.com". They had their own private subdomain on their own network that they named google. It DID NOT come from google.com

I sound like "do this one thing every day to..."

but do that.

 

[Gun Nut]

You can read wiki on phishing, they have few solutions, one with forcing user to select image from a set seems pretty bulletproof.
And I just spent 5 minutes and devised another solution where you simply forbid sending passwords over Web and use hashes instead, and hash them with something which would be hard for an attacker to spoof for example IP and of course hash it with random message from the server of course so that even if the attacker manages to spoof IP (I don't see how it can be done especially if user
use direct connection) he would have to do everything in real time, in other words no ability to store credentials for later use.

Then browser can hash credentials it is about to send and compare it to database of sites it was sent to before and insist on user using bookmarked address instead. And of course refuse to send hashes/passwords to sites which are not "secure"

Oh wait, it all depends on user being able to distinguish between ordinary input field and input field for password. and we know already we can't be sure of that at all.
Ok , how about hashing all input fields and checking with database. that way browser can detect plain password is about to be sent somewhere and refuse to do so.

If "reading a wiki on phishing" is your extent of knowledge, then it is understandable that you sound like a complete idiot when speaking about the topic.
Your "solutions" are so incredibly stupid, I will not spend the 30 minutes or so it will take to explain what is a very complex industry... I'm so glad you learned the word Hash. So sorry you think you have learned even 1 millionth of a percent of the relevant material. Now go look up, "pass the hash" "rainbow table" and "Federated access control". That should cover the errors yo made in your "solution".

 

[barbos]

You can read wiki on phishing, they have few solutions, one with forcing user to select image from a set seems pretty bulletproof.
And I just spent 5 minutes and devised another solution where you simply forbid sending passwords over Web and use hashes instead, and hash them with something which would be hard for an attacker to spoof for example IP and of course hash it with random message from the server of course so that even if the attacker manages to spoof IP (I don't see how it can be done especially if user
use direct connection) he would have to do everything in real time, in other words no ability to store credentials for later use.

Then browser can hash credentials it is about to send and compare it to database of sites it was sent to before and insist on user using bookmarked address instead. And of course refuse to send hashes/passwords to sites which are not "secure"

Oh wait, it all depends on user being able to distinguish between ordinary input field and input field for password. and we know already we can't be sure of that at all.
Ok , how about hashing all input fields and checking with database. that way browser can detect plain password is about to be sent somewhere and refuse to do so.

If "reading a wiki on phishing" is your extent of knowledge, then it is understandable that you sound like a complete idiot when speaking about the topic.

If most sites were doing what Wikipedia lists we would not have had this conversation.

Your "solutions" are so incredibly stupid, I will not spend the 30 minutes or so it will take to explain what is a very complex industry... I'm so glad you learned the word Hash. So sorry you think you have learned even 1 millionth of a percent of the relevant material. Now go look up, "pass the hash" "rainbow table" and "Federated access control". That should cover the errors yo made in your "solution".

I know why it would not work, I wrote it it myself. So incredibly stupid is everything you post here,

 

[bigfield]

It's reasonable to expect IT professionals to avoid phishing scams, because they need a relatively wide range of freedom when using computers at work and there's a professional responsibility that goes with that.

But other users should be expected to be naive, because they almost always are and always will be. Naive users shouldn't be able to escalate user privileges under any circumstances and their user accounts on network services should have the bare minimum access permissions required for their role. This is (or should be) taken for granted in corporate IT, but it also applies to home computers. Retail laptop manufacturers ship their products with the flimsiest level of "User Access Control". Other engineers have already done better: smartphone manufacturers disable privilege escalation entirely and provide a curated app store.

 

[barbos]

Complete and ultimate solution to phishing would be abandoning user typed passwords. Of course that would be inconvenient in some cases but that's how it can be done.

 

[barbos]

Great.. good idea... lets walk through it.
what do you mean "utilizes the actual name"? Like the 3:00AM girl scout cookies at your door with the ski mask? They use the ACTUAL NAME... Girl Scouts. That's authentic. Girl Scouts are REAL. This would be called a Spear Phishing attempt. It's phishing, but highly targeted to the recipient (using an employee's name they pulled off of a Google search.. and then read their blog about the conference they attended... and then mention the conference in the email.)

That email simply directs the recipient to click on a link

Is that how your company manages HR communications.... "here - click this link", with no context whatsoever? No introduction as to what to expect. No proprietary information or context that is even vaguely familiar..no branding... no reference to a memo or a project... nothing... just a link, ey? Well that company is training employees to just blindly click shit, then... and they are creating / reinforcing idiot activity.

, clicking on that link launches an attack.

That would be the company failing to patch a vulnerability, or it's a zero day (previously unknown vulnerability). This is rare (like once a decade rare) and in neither case would be the employees fault beyond having clicked the link in the first place. More commonly, the link presents a form that is asking for a password, and that is all they want. If your company has horrible Identity and Access management where the employee has to remember 10 passwords that they have to enter all over different places all day, then, again, the company is creating idiot users. If descent, simple SSO is setup, like Active Directory affords, then users should see the form and just laugh at it (actually, they should never see the form because the phishing attack should (almost) never be successful).

Is that a phishing attack, or one of those problems that you claim was solved long ago? If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?

The "attack" is in two parts... the delivery mechanism, and the payload. The payload should never have a chance to deploy. and no... nothing was "fixed" a long time ago.
Maybe he is thinking of the Java sandbox that never fixed anything, but instead gave some people a false sense of security. Java is so insecure that after years and years of patching, it has simply been abandoned. The concept of a sandbox is good... but when you can only play in the sandbox, you only get sand. not good for an enterprise with complex integrations and collaboration tools that are needed to conduct business.

If you do one single thing to protect yourslef and your company... just one simple thing... then that thing should be to check the incoming email address of every single unsolicited email you receive. Just look at it. NOT the name. the address. Especially the part just to the left of the last dot...

APerson@google.hackersparadise.com <- this email came from "hackersparadise.com". They had their own private subdomain on their own network that they named google. It DID NOT come from google.com

I sound like "do this one thing every day to..."

but do that.

OK, verdict is official, you are worthless security "expert" I was talking about. You understand absolutely nothing.

 

[KeepTalking]

I know that, it's just I think that your average 100k security people are useless waste of money.

must be demented ones according to Nut

No, not the only thing. There are number of things on service side which can be done but are not being done.

and hope that we all collectively learn from it. In the 4 years I have been here, we have had at least one legitimate intrusion that I am aware of that came about from a phishing attack. We do a lot of web development, and simply firewalling every unknown URL is not a practical solution for everyone. We do have different levels of access to the internet, and developer access is much more open than the access granted to other users, though there are still some restrictions. I have worked in shops where developer access is entirely unrestricted. No, getting caught up in a phishing scam is not a crime, but you do bear responsibility, and I have seem people fired over it. That intrusion I mentioned above got one of my teammates fired, but I believe there was more to his firing than just that. We never got the full scoop from management, but his laptop was quarantined and we were unable to retrieve his uncommitted code, not that it was any big loss.

Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.

Okay... so, how about this scenario:
An IT professional receives an email purporting to be from their HR department, and it is a pretty damn good one with no misspellings and it utilizes the actual name and title of a known person in HR. That email simply directs the recipient to click on a link, clicking on that link launches an attack. Is that a phishing attack, or one of those problems that you claim was solved long ago?

It's a problem which was solved long time ago by sandboxing unknown code. In fact all code can and should be sandboxed, and I understand android and IOS use it to some extent.

If it is not a phishing attack, what is the solution to it, given that it was solved long ago? If it is phishing, how is it any less problematic than the problem that was solved long ago?

You can read wiki on phishing, they have few solutions, one with forcing user to select image from a set seems pretty bulletproof.
And I just spent 5 minutes and devised another solution where you simply forbid sending passwords over Web and use hashes instead, and hash them with something which would be hard for an attacker to spoof for example IP and of course hash it with random message from the server of course so that even if the attacker manages to spoof IP (I don't see how it can be done especially if user
use direct connection) he would have to do everything in real time, in other words no ability to store credentials for later use.

Then browser can hash credentials it is about to send and compare it to database of sites it was sent to before and insist on user using bookmarked address instead. And of course refuse to send hashes/passwords to sites which are not "secure"

Oh wait, it all depends on user being able to distinguish between ordinary input field and input field for password. and we know already we can't be sure of that at all.
Ok , how about hashing all input fields and checking with database. that way browser can detect plain password is about to be sent somewhere and refuse to do so.

My scenario was meant to illustrate the disconnect in your statement:

Anyway, I was really talking about executing unknown code from the internet (ransomware and viruses, problem which was solved long time ago), not phishing.

The attack in question used both phishing and delivery of malicious code. I am not sure why you brought up passwords with regard to the phishing portion of the scenario, as neither the phishing portion, nor the malware portion of the attack utilized a password. As far as your "sandboxing of unknown code" goes, that is pure horseshit. How are you going to "sandbox unknown code" when your users are web developers who are actively writing "unknown code" all day long? Sure, we use sandbox environments when necessary, but with modern web development you are pushing code to production multiple times a day, how is IT security going to determine which piece of previously unknown code is malicious, and which piece is something that is being actively and legitimately developed within the organization?

Note that I don't actually have the answers, I am not in IT security, I am a developer, and I don't pretend to be an expert on how someone like Gun Nut does their job. I do know how to detect and avoid most phishing attempts, but I also see developers around me failing to do just that. I also know that there is no way in hell I would let you inform me or my organization in any way on how IT security should be handled.

 

[KeepTalking]

Great.. good idea... lets walk through it.
what do you mean "utilizes the actual name"? Like the 3:00AM girl scout cookies at your door with the ski mask? They use the ACTUAL NAME... Girl Scouts. That's authentic. Girl Scouts are REAL. This would be called a Spear Phishing attempt. It's phishing, but highly targeted to the recipient (using an employee's name they pulled off of a Google search.. and then read their blog about the conference they attended... and then mention the conference in the email.)

That email simply directs the recipient to click on a link

Is that how your company manages HR communications.... "here - click this link", with no context whatsoever? No introduction as to what to expect. No proprietary information or context that is even vaguely familiar..no branding... no reference to a memo or a project... nothing... just a link, ey? Well that company is training employees to just blindly click shit, then... and they are creating / reinforcing idiot activity.

, clicking on that link launches an attack.

Sorry, this was meant to be a simple illustration of the blurred lines between a phishing attack and a malware attack. No, my company does not send out communications like that, but in one of the security tests they performed last year, they did something very similar to the above. They used an email that impersonated our HR manager, which directed the recipient to click a link, it was a bit more than just a link in the email. If I recall correctly the email actually stated that there was a change to insurance benefits, and to click the link to see the new information. The clue to me that it was a phishing email came from examining the link, which threw up red flags for me, but I don't remember exactly why. Several developers did click the link, however, so if it had been a actual attack they would have been responsible for damage caused.

 

[barbos]

If it does not involve victim entering credentials into a fake website or something or it relies on something other than phishing then It is not phishing. In other words phishing is pure phishing.

here is a definition:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

In your case it's superficially phishing, in reality it's just how malware propagates most of the time.
And as I said it was solved long time ago. You can safely click on everything in theory, the fact that Microsoft does not want to implement it is a different matter.

 

[KeepTalking]

If it does not involve victim entering credentials into a fake website or something or it relies on something other than phishing then It is not phishing. In other words phishing is pure phishing.

here is a definition:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

In your case it's superficially phishing, in reality it's just how malware propagates most of the time.

Malware can do a variety of things, including things that will allow hackers to to obtain sensitive information in the compromised system, or in the case of Baltimore, attempt to extort money. The initial email in the provided scenario is an example of "disguising oneself as a trustworthy entity in an electronic communication". It is not just superficially phishing, it meets the exact definition of phishing.

And as I said it was solved long time ago. You can safely click on everything in theory, the fact that Microsoft does not want to implement it is a different matter.

You were wrong when you said it before, you are still wrong. Microsoft has very little to do with our IT shop, I don't think there is a developer here who is not using a Mac.

 

[barbos]

Malware can do a variety of things, including things that will allow hackers to to obtain sensitive information in the compromised system, or in the case of Baltimore, attempt to extort money. The initial email in the provided scenario is an example of "disguising oneself as a trustworthy entity in an electronic communication". It is not just superficially phishing, it meets the exact definition of phishing.

OK, lets say I agree (I don't), how is that relevant to anything?

And as I said it was solved long time ago. You can safely click on everything in theory, the fact that Microsoft does not want to implement it is a different matter.

You were wrong when you said it before, you are still wrong. Microsoft has very little to do with our IT shop, I don't think there is a developer here who is not using a Mac.

I am not wrong, You can't get malware from clicking some link on linux system. Not that linux has specifically dealt with that specific problem.
It's just the idea that one can simply execute .exe files from some link never came about in linux for some reason.
Now linux have digital signatures and apparmor.