My company ran something similar recently. The cyber security team opted for “an important change to your available PTO.” It was from an internal address but from a made up name. The company is large enough (1,300 people) that you wouldn’t know if the name was actually an employee in HR or not. Because IT runs software that proxies and mangles all the links in an email, it’s super hard to evaluate the legitimacy of a URL anyways. Of course, most people clicked the link.
Email-link obfuscation (for whatever purpose) makes it nearly impossible to determine a real email from a phishing attempt. Even if you notice AFTER clicking the link that it is no good (i.e. before entering credentials).
My company used to mandate all emails are signed with AD-registered certificates to lend credibility, but they've moved away from that. (I think the reasoning was that webmail clients don't have robust support for S/MIME certs, but I'm not sure.)
Clicking the link shouldn't be enough to consider a target to have fallen to fishing. Sometimes, if a get a fishy email, I open it in a private tab within a browser I don't use, or even within a throwaway VM (if I feel something is REALLY strange).
Clicking a link is all it takes to download malicious code and send stuff to an attacker.
Clicking a link is enough to consider a target to have failed.
It shouldn't be though. If your threat vector includes teams with something like Chrome 0day, you've got bigger problems than employees clicking links.
Malicious email in the wild is either a link to a phishing page, or a link to a page offering an executable.
If I paste a URL urlscan.io and have a look at it, I can assess better whether it might be safe. Being told "url got hit, you compromised us" is really silly in my view.
Of course "click to fail" is silly. And, in some experimentations I did in the past, it's usually easy, in a large organization, to forge a 100% legit url (like somefileserver.organization.com/some_url_that_can_be_easily_edited_by_anonymous_users) and a 100% legit sender (because of some open relay that passes DKIM and/or SPF). So you just need an access to a minimal-security internal network (easily obtainable through spearphishing or malicious employees) to perform a good phish.
The obvious attack vector is to insert some JS in the webpage that performs a redirection to an external server holding malicious data. But the user would fail IFF they entered the data there, not just by clicking.
The URLs include some unique identifier that’s traceable to you. As far as my company is concerned, merely clicking it is grounds for security training.
Edit: I guess the argument is any page could contain an RCE.
Wow. If a single click is enough for a RCE, you've got bigger problems, IMHO. Basically, each and every website can hack into your infrastructure.
I'm not sure whether there are policy recommendations about phishing, but as far as I'm concerned a target would have failed if they entered private data somewhere, or opened downloaded documents or executables.
