All of this can be on a "Tap to view" basis for the first media received.
Right now, iMessage processes everything in the background upon receiving.
That enables zero click, instantly delete message attacks. The only trace you have is a random imessage sound, or vibrate, with no corresponding notification.
Can be tuned to send at 4am when most people have do not disturb on.
Whatsapp of all things has this. (mostly to save on bandwidth, because whatsapp as all about efficiency at one point)
There is no real reason to auto process untrusted data. I would have thought we'd learnt from the years of exploits outlook dealt with in the late 90s/early 2000s.
Sometimes my dad sends me photos over Whatsapp, and I have noticed that they appear in my Photos app before I have opened/viewed the actual Whatsapp message. I assume that this is happening because i have given Whatsapp access to my Photos. But, it does appear that attachment/image processing is happening via Whatsapp without my control/without my viewing the message + its attachments.
If they think my friend has sent a picture, or a business has sent an invoice, they're likely to click it.
Especially in the 3 receiving situations that bb123 outlined (1, 3 and 4) you're not likely to have the contact info, or it's plausible that the person could be using another phone to send that message.
Now - I know to check the sender, don't click strange links, all of that. I run trainings on how to avoid phishing and improve personal & organizational digital security. But it comes down to the fact that people are using technology as a tool.
Apple made headway with BlastDoor but it's clearly not good enough.
Right now, iMessage processes everything in the background upon receiving.
That enables zero click, instantly delete message attacks. The only trace you have is a random imessage sound, or vibrate, with no corresponding notification.
Can be tuned to send at 4am when most people have do not disturb on.