Got duped into thinking a email was from a colleague when it wasn't. Turns out it was a cyber security company testing our systems. I'm annoyed with myself because I am relatively Tech-savvy. No excuses but a few reasons why I was off-guarded... Anyway, if this was from a genuine bad actor, it would have been someone with enough knowledge and intent to ensure the link took me to the worst possible security threat. How bad could clicking that link be? I was on my (Pixel 8 Pro) phone running Android 14. I was in the Outlook app. (I mention that because, if I'd been on my PC, I wouldn't have fallen for the email and I'm going to use the link to test my pc security separately as I run a few things that I hope would have kicked in if I had) Are there any drive-by download exploits (or any other kind of exploit) I could have been victim to? I can't find any documented instances and can only find vague articles on second/third tier AV sites that end with "install our AV to be safe."
Most cases are social engineering ending with phishing: someone creates website that asks you for yours data. It may be multi-step process, so the form to fill data isn't displayed outright. Drive-by downloads are rare on desktop nowadays, because browsers are better secureed. Click on link may also be approximate attachment opening/execution measurement, because it may not be acceptable for different reasons to crate attachment that calls home for ethical hacking/security testing. E-mail attachments are still a big threat on desktop Mobile browser would have to download file then install it. Installation from outside of Google Play is disabled by default in Android. So I guess easiest route to lure somebody on mobile is to persuade visitor to install malicious app from Google Play or Apple Store, then give it enough privileges. At least on Firefox Android website may present a button in the menu to open Google Play's install page for the app it suggests to install. You still need to click install but the process is quite smooth so many people already convinced to visit website will click it as well. 0-day malware that executes just after clicking on webpage URLs and bypasses all browser and Anroid security are very rare, so it is the least likely scenario. If you want to go through this rabbit hole then there were instances of attacks on Outlook desktop or WhatsApp (mobile) that didn't required any user interaction.
Thanks a lot. That confirms my research (as well as adding a lot more I wasn't aware of). What I didn't admit to in the OP was that I saw an oblique reference to a possible cyber audit a few weeks ago and remembered a podcast where they drop usbs in the car park to see if anyone brungs them into the office in and plugs them in. I thought to myself, "Don't fall for that in the next few weeks, ha ha ha."... only to fall for something just as obvious. Kicking myself. Thanks again.
