I will think about this every time we have a meeting to discuss the stupid "shame and train" faux phishing attacks they run on us at work.
Pro-Tip: If you set up the right kind of filtering you'll never see those stupid things. (Fight club rules).
88The one they use at my work is extra silly, as it adds an extra email header saying it’s coming from a phishing campaign
56Lmao, the other day I had to whitelist some domains used for phishing training emails in the anti-phishing software we use just so they wouldn’t get nuked, then I had to whitelist them in another anti-phishing software so they wouldn’t have - huge red header injected on the top of the email body warning the user it was phishing.
4
The Microsoft 365 admins at my workplace were doing something like this. It's got some sort of built-in phishing simulation functionality (I think it's this: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations). The idea is that the recipient clicks a button in Outlook to report it as suspicious, and get a "congrats you did the right thing" notice.
However, it seems like IT security were unaware of the test, because they started blocking the emails and blackholed the domain the emails linked to (meaning it doesn't resolve on our network any more). They also reported the domain as phishing to some safe browsing vendor we use, which propagated into the blocklist Chrome uses. It was a shared domain Microsoft use for this training (it was one of the domains on this list: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-get-started?view=o365-worldwide) so Microsoft probably had to deal with un-blocking it...
13Alternatively, over-report. Spelling mistake on an email from a colleague? Seems phishy to me. Email from a colleague with an attachment? Phishy! Unsolicited email from a client? Phishy! Email from 'social committee' sent to everyone in the team? Phishy!!!
10Please don't.
I have to initiate those, or it looks bad for compliance. We sell software, we get SOC 2 attestations yearly. We start getting points marked off for very general security and compliance measures customers will question our products and not renew or not purchase in the first place, because if we can't even secure our own employees and promote awareness, what does that say about our product?
Sincerely, the guy everyone hates and makes your work life harder.
6Received an email about phishing? Oh, you better believe that's phishy!
4I have done some minor malicious compliance / prankster sabotage sort-of like that in the past. I got called on the carpet. It was fun, though!
3I'm never going to have to reply to an email again.
1
except too many companies take that extra step of being annoying:
- you get a write up if you fall for the phishing
- you get a write up if you don’t fall for it but also fail to report it
- you get a write up if you don’t fall for it and do report it but don’t use the correct report form
10you also fail if you use the right form but don't staple a cover sheet for the tps form followup.
7Yeah my company sets a goal of how many you need to report every year, if you don't then you need to take mandatory training (same if you fail and click on a link)
2Where I work, they haven't taken it that far yet. But I would not be surprised if they go to that in the future. The email rules / filters can still help with it.
2
My company is using some tool to generate those kinds of false scam emails every few weeks, so I created a rule in Outlook that if the header contains the word "gophish", it put a label "lol phishing" on it, so I know to just delete them...
8shhhhhhh.
Good for you, though.
2
I worked at a place that actually tracked whether you reported the fake phishing emails or not...
7The right email rule can make that easier, too. Hee hee
2
Ugh. I got one of them recently and clicking on it and hitting report as spam apparently registers as me having interacted with the email so I have to do the security course again.
5It's glitchy AF. There's a known bug where it can report you if you simply preview the email, too. In some environments, anyway.
3
Our company has started doing that. How do I filter them out?
1It varies depending on your email client and the fake phishing service / implementation. (Sorry, I hate non-specific answers like this, too). For me, all I had to do was add an Outlook rule that looks for a certain keyword in the email header. The keyword is a weird/unique string that's only associated with the fake phishing company. If that word is anywhere in the email header, my rule chucks it into a folder where I just ignore it. Your client should let you view the header / raw email and you can look for a pattern that way.
It's a pretty safe rule as far as email rules go. The only risk I can think of is that it could lull me into complacency, but working for the man does that, anyway. I've been getting away with it for over a year, and it's nice not seeing the dumbass fake phishing things. Note that we are not mandated to report them, but we get assigned extra training if we click on any links in them. Your employer may have different rules.
2
This would explain why this works so often
41Why did the hacker leave their purple dildo out on their desk? Awkward 😬
33Ah, an email from yourcompaniesit@msn.com. Must be from IT.
22(I deal with vendors that still use yahoo.com emails …)
12The thing that doesn't make sense to me is when vendors have their own domain and site but they use a freemail account (Yahoo, Hotmail, Gmail, etc). If you really want to run your business using a free service, at least use an email forwarder at your domain.
12
The password is either admin or password
13Summer2024 Autumn2024 Spring2024 Winter2024
Are the most common passwords for regular employees. Update the year with the current or previous one.
Source: I was in IT.
P.s. if you have access to the physical location. Look for post-it notes under the keyboard.
31Oh shit, stealing this. Tired of changing the number on my overly long password. It's just inconvenient to type 32 charachters when "SeasonYear" would work.
Bro just made an unknown company a little less secure 💀
2
"what is your password?"
"uh, it's just the letter A"https://www.youtube.com/watch?v=uRGljemfwUE. A classic.
6I'm sorry, there isn't an option to arrange icons by "penis."
4
That proves you were the one that was targeted. It doesn't say anything about your intentions.
You could have had the best intentions and just missed the signs that it was a malicious email. Or you could have intentionally clicked on it out of spite.
If I knew my employee did it out of spite, I would fire them. Otherwise, it falls under the shit happens category, try to do better next time.
1If was so miserable at a job that I thought giving passwords away to random people was a good idea, I would hope that I had moved on long before.
1
How to defeat electronic locks according to Sneakers (1992).
5Tactics of Physical Pen Testing – lockpicking is the hardest way to get in
6
Made me laugh, stopping pre-work scrolling and ending on a high note. Let me send you my passwords…
4Have they not seen the movie Hackers?
3You will never be hired again
1That's called phishing
-2
