@kensanata Summary: MIME-Parsers are faulty, we knew that.

This attack is a neat trick to include a message I cannot decipher and send it someone else to decipher it and exfiltrate it back through a image URL or similar.

MUAs that call external URLs are a security risk. This was already known. This is just creatively using the problem to decipher a secret message.