> On May 14, 2018, at 12:29, Russ Housley <housley@xxxxxxxxxxxx> wrote: > > We are working on text for S/MIME that says that each portion of a MIME multi-part needs to be handled in its own sandbox. The direct exfiltration that is described happens because the mail user agent glues the various portions together for display to the user, which in the example on the web page causes an image to be fetched from the attacker's website with the message plaintext as part of the URL. So that’s the bandaid. What and where will work be done on a solution? Paul