Why is clicking the link a failure? I thought this was the point of keeping my browser up to date, so I can trust the sandbox!
A couple of times, I got emails that seemed suspicious, but I figured I would click the link to investigate further. I was on high alert and would not have entered login credentials or opened an executable or anything like that, I just wanted to check it out and see.
Of course, it was a phishing audit and I failed. WTF?
Phishers are working completely blind, thus any amount of info going back to the phishers is a benefit to them.
Just getting server logs from an opened link lets them know their messages aren't being quarantined and their server is reachable through the target's firewall.
The user agent and how the links are accessed give info about who is opening them
(A few every couple minutes == all good, 10 links sent to 10 different employees all opened within seconds with a non-standard user agent == you're being investigated and should burn the domain)
It's been a few years since I've done phishing engagements so details may vary with how things are done today.
But the goal is to limit any information going to the bad guys. Let them think their messages are being blocked until they go elsewhere.
*edit: That being said, phishing at least one person at a large company is not particularly hard. There's too many companies using domains indistinguishable from shady links for one thing. Limiting engagement is good, but companies also need to be prepared for the eventuality that somebody will get fooled.
A couple of times, I got emails that seemed suspicious, but I figured I would click the link to investigate further. I was on high alert and would not have entered login credentials or opened an executable or anything like that, I just wanted to check it out and see.
Of course, it was a phishing audit and I failed. WTF?