My bluesky post was the one quoted in the OP.

I do think it was a decent attempt. A phishing attempt making it past gmail's spam filter is somewhat rare for me. Certainly less than weekly. And something this targeted is definitely a ~yearly occurrence (or less).

The major tip-offs for me were:

1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders.

2. If a security incident like this would have occurred, there would have 100% been some kind of public communication about it on the rust-lang.org domain. I get notified whenever there's a new post there. So I knew this wasn't referencing a real event.

3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense.

And then finally, the URL is funny.

The somewhat scary part here though is that all of my points above come from being pretty dialed into the Rust organization and how things actually work.

But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something).

Finally, when I worked at Salesforce, the IT team there would occasionally send out fake phishing emails and ask you to report them to the team. I never fell for one, but I assume if I had, I would have been notified about it. I thought it was a very effective campaign because it always kept me on my toes.

I've grown old enough to ignore sense of urgency when coupled with authentication.

That e-mail does not pass my sniff test.

Being asked to login via an “internal login page” is a huge, bright red flag. It doesn’t matter what the reasoning is, if it’s not the same domain or an SSO integration that is well known to both you and the vendor then you shouldn’t be using it. This is security 101 type stuff.