I got dinged for clicking "report as phishing" as part of that process forwards it to microsoft threat intelligence in outlook and so their systems said I forwarded and therefore fell for the phishing, now I look for a particular header and put all of those messages in a "phishing" folder

I run my organization's phish sims, and we had a similar issue one month. A bunch of people failed for downloading attachments. When I looked into it further, all the attachments were downloaded by the same Czech IP address. With some research, I found that it was an AVG IP address. The fix is very simple. The phish sim service has a place to exclude IP ranges. Any activity from those IPs are just ignored. I'm sure all phish sim services and software have this ability.

Question: why is clicking on the (test) phishing email's link "fail"? Isn't the whole contract between browsers and society that one can safely open any website they want (ie loading a webpage is safe), and what you do on the actual site is the actually unsafe op?

Asking because in the vast majority of cases, the phishing landing page has way more signals to recognize than the email headers.

Unfortunately not. If there is a 0 day vulnerability, or you're running an older version of a browser for a known patched issue, you may find yourself with a remote code execution, or 0 click download. Or it could be another kind of exploit, maybe your email service is vulnerable to XSS attacks. Like operating systems, browsers can have security issues too. So trusting your browser to see if a phish is really a phish is just unnecessary risk. I've worked with clients that have ended up with crypto lockers from clicking the link. Even from the IT side, I'm not going to increase the risk by opening a known phishing link to check how good it looks. If I am, it's going to be in a system that doesn't have active logins to other systems/sites, and is in easily disposed and reset. Check out all the YouTubers getting channels hacked with session stealing. Yes, they are falling for phishing attacks, but you really don't know what the attack vector is going to be. It might just be a fake login, or it could be much more sophisticated.

Thanks, that makes sense!

Now when I see a phish, I check to see where it is coming from. 97 percent of the time, it is a test. We're getting these tests often enough that I just assume that's what it is.

Which is fine, actually. If you see it and think "oh, IT is at it again" and delete it or report it, mission accomplished, because there is still that 3/100 chance it is real.

It only works on fake fishing.

So when you look at the sender of a suspicious email and it's not the phish sim service you just go ahead and open it? That doesn't sound like a problem with the phish sim.

It's certainly a problem with the phish sim if you're trying to teach people not to open random links and instead you're teaching people not to open phish sim emails.

It fact, it can be actively harmful if it creates a false sense of security.

Many phishing simulation systems are not technically correct. Microsoft, Google and other 'security vendors' may inspect links in emails. That link inspection can sometimes be blamed on the end user. "You clicked the phishing link, now you have to take remedial security training!"

The only way to know for certain that a user fell for a phish, during a simulated exercise, is to make an HTML form that does a HTTP POST request and contains the user's credentials (that only they could type in). If a user enters their username and password and clicks submit, then they fell for the phish, otherwise no one can say for sure who or what software clicked that link that did a simple HTTP GET.

Microsoft Safe Link technology does not actually inspect the link until the user clicks on the link. This is to avoid that confirmation links, used by some service to confirm registratio or as 2FA, may be triggered by the security engine without user consent.

Our workplace outlook phishing protection does though. I was signing up to test one of our apps recently and my email was auto confirmed in 5 seconds despite me never receiving it. Turns out it was caught in the phish filter which automatically clicked the link to check it, so the above is not always true. Confirmed this with a few co-workers too.

We must use the same vendor, as I heard about that happening to my coworkers. I clicked "it's phishing you idiots" in Outlook and got a gold star. I find it funny because my organization doesn't even use email, so 100% of email I get is spam or phishing.

The dead giveaway on this email was that there was a Via: header that was like "phishingtestsforyourworkplace.com" or something.

I got dinged once for using curl (in a VM) on the link get the details to pass one when I reported it.

I once got dinged for forwarding an obvious gotcha email, without ever opening it, to our security team's phish notification address, as our employee handbook instructed. I learned my lesson.

I once got dinged for not reporting. I saw an email that was clearly an internal security campaign. I deleted it. I received an email a day or two later stating that I failed to take action on a phishing attempt. Damned if you do; damned if you don't.

For a while I had a thunderbird filter to automate forwarding based on our provider's email header.

They disabled SMTP and the Gmail web client has no such ability to filter on arbitrary email headers.

You can setup a Google app automation to do this for you.

I did for e.g. knowbe4 since all their test emails have the same header information. It made it quite easy to never see any of their attempts, though I did have to check every once in a while to see if I'd been signed up for any random learning and it removed those emails as well..

iirc, the same company had locked down the allowed oauth apps, so you would have needed an exception from security to run one.

I doubt they'd have granted an exception to stop getting annoyed by their own training.

Yeah the links from Proofpoint are unique to you, so however you visit it you still get tracked

It was when I was working at HP/HPE/DXC (I don't remember what it was at the time), I don't remember what they used.

I did that once for the same reason, and found myself sentenced to mandatory security retraining videos with no possibility of appeal.

You aren't wrong. I've got a heavily locked down browser on an off-network device for working with questionable websites. While the vast majority of phishing sites aren't pushing malware spearphishing is another story.

IT still might not want you to follow the link.

* Other users might have, instead, an incompetently secured browser that they think is locked down on their work devices. It is hard for IT to distinguish between you and them.

* If the URL is personalized, it tells the attacker that the address is active. This is probably pretty limited help to the attacker. But it might tell them if your company emails follow a particular format, right?

> * If the URL is personalized, it tells the attacker that the address is active. This is probably pretty limited help to the attacker. But it might tell them if your company emails follow a particular format, right?

I just asked chatgpt and it knows what email format the company I work for follows, so I'm not sure this is of particular value.

It's useful, even if you aren't a scammer, but it's generally not hard info to get elsewhere.

I feel truly sorry for whoever spends a browser 0-day giving RCE on me.

It's good that I otherwise don't click on links in my browser during my day-to-day work. /s

Good thing browser aren't able to display content of random unvetted third parties in exchange for money on any website you visit too :)

Adblock is a security measure at this point.