It's a message from a valid internal email address. If a company's own email servers can't tell the difference between valid internal mail and external phishing, that's the company's problem, not the employees. If the company's email is hacked so that a hacker can send valid emails from a legitimate internal email address, that's the company's problem, not the employees. Nothing of value was learned by this test, besides the disdain GoDaddy has for their own employees.
If I put myself on the other side, I'd stop producing gross sexist ads, stop supporting overreaching internet legislation, and stop treating my employees like garbage.
If a hacker hacked the CEO's email address, and then used that address to email their secretary asking for information, and the secretary responded.... that is not a security failure on the secretary's part. That's the CEO's security issue, and the company's security issue. Therefore, it's a useless pen test, unless the purpose is to tell employees no emails from anyone can be trusted.
A phishing email can come from the inside. But seeing whether employees will respond to a valid internal email is not a test of employee security. And in this case, it was as heartless as it was useless.
If I put myself on the other side, I'd stop producing gross sexist ads, stop supporting overreaching internet legislation, and stop treating my employees like garbage.