Hasn't this always been obvious? I recall from maybe 10-15 years ago, talking with system administrators about employees getting pwned with malware.