I worked at a biotech startup about 20 years ago.
- Two of the VPs at the company were named Jim Collinsworth and Peter Sachs (not their real names).
- For reasons I can't remember, I was able to send emails through the company's Windows email server under any name that I wanted.
- So, I merged the two VP names and I sent an email blast to the entire company from "Peter Collinsworth" (just swapping first and last names).
- "Peter" Collinsworth's email said something to the effect of "In honor of the 765th anniversary of the establishment of the Exchequer and the signing of the Magna Carta, <biotech-startup-x> is declaring April as 'English Unit' Celebration Month. All laboratory generated results will be reported using the following units: Instead of mg/kg/day, we will use pounds/stone/fortnight ...." etc. etc. etc.
- Well, Jim Collinsworth (real VP) saw the email and even he thought that the email had been sent under his own name.
- So, Jim fired off an email blast saying, "I did NOT send this. I don't know what this is about."
- Everyone soon realized it was an April Fool's joke.
- Jim eventually made his way to my office to say ... "That was really funny. Don't EVER do it again."
For reasons I can't remember, I was able to send emails through the company's Windows email server under any name that I wanted.
I know of several fortune 100 companies that still allow this due to the way they set up email protection with o365 and Proofpoint, ironically. not naming them. I've done similar pranks and got by with the skin of my teeth but would not recommend people do this early in their career especially if leadership are sensitive to embarrassment.
> especially if leadership are sensitive to embarrassment.
Funny thing is that I cleared my prank with Peter Sachs because he was a bit of a stick-in-the-mud, but he told me to go for it and he thought it was hilarious.
I didn't clear it with Jim Collinsworth because he was a bit of a jokester himself so I (incorrectly) assumed he'd have no problem with it.
Having approval from one of them would be quite the saving grace.
I had a CTO tell me to fill a cubicle with quick drying cement after a prank went wrong but I stalled him long enough to cool down. I knew the building management company would have been furious had I followed orders. The CSO had pranked the CTO with a dongle that opens excel and slowly types "I know what you were doing..."
the building company would be more than furious. you could lose your lease over this and pay damages.
next time recommend using expanding insulation foam instead, but first cover everything with big sheets of plastic. the victim will still have a hell of a time getting rid of the foam. that stuff hardens...
Oh trust me I know. This was CBRE and they are cantankerous and contentious on good days.
Some jokesters are surprisingly picky about which side of the joke they're on.
I showed a new to IT guy about open relays and he was about to send an email from the CEO but thinking better, he sent the joke email from "[email protected]" (real name instead obviously) - the amount of people STILL thinking it was the real thing was embarrassing.
>leadership are sensitive to embarrassment
Or they don't want distractions that are too costly.
To your point the incident I described took several windows admins a while to find the USB prank. They thought we had a live extortion hack in progress and that was about the time they called me into it.
When I was junior IT at a smaller place (150ish people), we set up DMARC for the first time in "quarantine" mode. Plan was to eventually set it to full reject but only if folks didn't report issues for a month or so.
While it was in quarantine mode, I asked my boss if we could use it for an object lesson in email trust at our next security training. He said sure, got permission from the CEO, and then an hour before the next quarterly IT security training meeting everyone in the company got an email from the CEO's address saying "URGENT all-hands company meeting, attendance mandatory!" (which came from a Postfix running under my desk, sans DKIM validation record).
In DKIM "quarantine" mode, everyone's Outlook flagged the message with a banner or popup or something saying it was suspicious, I think it also had a prompt to auto-spambox future validation failures. Plenty of folks saw that and/or the Nigerian-prince-style typos I put in the "CEO"'s message. They checked with him or IT, who told them congrats, feel free to head home 30min early after the security training.
The more credulous folks that came to the URGENT all-hands were surprised to find themselves in a regular IT security training, no CEO in attendance. We started off with "so today we are going to talk about phishing, sender forgery, and you...".
> For reasons I can't remember, I was able to send emails through the company's Windows email server under any name that I wanted.
The glorious days of open relays, back when spam was in its infancy. Today it's mostly done on a whitelist basis to let tools like JIRA or Gitlab send notifications under the name of users themselves instead of some noreply address.
Seems like a memorable way of showing them that the email system could be configured better.