I received a painfully obvious spearphish attempt and I decided to examine it closely.
First, there was a no subject email with an attachment with many target emails.
I carefully retrieved the attachment and found this proffer from a scam call center.
There were 407 other emails targeted and I decided I would try haveibeenpwned to see how many of them were involved in breaches.
And the results were pretty sad - only half of the affected accounts appeared in the initial scan. I periodically came back over a two day period to get the rest. Just forty of the accounts came back involved in ninety seven compromised domains.
Conclusion:
False negatives are just as bad as false positives.
If you’re looking at something new you need to look very carefully, playing devil’s advocate. Even after you get some intuition on the norms in a particular construct, it’s still wise to do this if the findings are part of a chain of inference.
