How is it possible that a Dept of Defense IT service provider continues to send announcements (maintenance windows, outages, etc.) to a HUGE list of clients and simply adds all of the client email addresses to the To: line?
Seriously?
If I were evil I would farm that list for potential victims and also for an easy information set to use in a social engineering attack on the service provider.
Come on folks!
This is basic Operational Security stuff!
