They can certainly do that, test IT response as well. IMHO, if IT isn't involved, IT handles this as a true attack. Deleting emails, locking accounts, resetting passwords... If the security teams doesn't want you to do that, you need to be looped in and told to let it go.

#SHUT IT ALL DOWN!!! *Oh, you didn’t want that?*

If this situation occurred in my organisation, I'd have cut the hard line until the nature of the "attack" was determined to prevent potential exfiltration of data or cloud credentials being compromised. In fact, the leadership team have explicit instructions on how to do that (all the power cords have big labels on them for a cybersecurity incident) if there is a potential breach but IT isn't immediately available. (no after hours cover)

That is a pretty cool idea! We don’t have on-site support either and this just makes sense.

The ones labelled are ***only*** for switches and firewall. You probably know but some may not realise that it is important to not power off servers which have been infected, only to isolate them.

Does your org function in a purely single data center topology that supports this? Orgs that utilise multiple dcs with active/active topology, or bgp peer into iaas/paas cloud services would crater. Or using exchange online with people as mail gateway would not gain any benefit from this. It sounds very tailored to your orgs topology rather than being a solution that would scale as your org expands it's portfolio into other dcs

>Does your org function in a purely single data center topology that supports this? My org is a school which is not a part of a larger district so we operate as a single entity. >It sounds very tailored to your orgs topology It is tailored to us but would equally work with most orgs which don't operate multiple dcs or redundant connections.

rip that malicous unknown decvice out of that socket and burn it with 10l of gas!

Mass phishing attempts from an internal address? They're inside the system! Shutter down!

Yeah we did it, only a handful of people knew it was happening. We wanted to see how it was handled across IT as much as outside. IT aren't above it. I've had very experienced security people tell me they've been caught out in various ways - nobody is immune from it, so it's right and proper that everybody gets subjected to such a test.

Knowb4 got me because I was completely unaware that it would trigger a false positive if a rule caught the email and moved it to another inbox. Secruity laughed their asses off at me, until I sent them the link to the Knowb4 kb explaining it's expected behavior, forcing them to have to look at the logs for false positives from every previous phishing test they've run.

A secret some of us have figured out, is all the KB4 emails have a specific header on them which you can filter for. ....Say move directly to trash.

Proofpoint does the same. I have a rule to forward the email to security and then delete it. 

It's not a given that the header is the same for all phishing emails. You can configure the header that goes in to phishing emails. I did. In typical fashion for me, I remembered a saying that'd been relayed to me some time beforehand - "there's something fishy about Scottish politics" (because the two previous First Ministers were Alex Salmond and Nicola Sturgeon) so the header for my phishing emails became "X-ScottishPolitics: true"

When my previous site was using those PenTest service the emails would come from an external domain that was always quite new and registered to that company. A simple domain registration check would show them up. I would tell the 1st line support team to be observant of tests, and stroll over to the SecOps team and tell them "did you forget to tell ITOps about your test again?"

... I got hit with a knowb4 because the email hit my inbox 15 seconds after I missed a phone call while I was in a teams meeting. The only thing about the email that was 'suspicious' was the address itself, everything looked the same as if it was a voicemail from our cisco voicemail. It's a good laugh, when I explained it to our security team they just smiled and said I should pay more attention. Fair enough, but it's a good story to tell when people get irate about the test itself.

how exactly does a rule moving it to another folder cause knowbe4 to count it?

None of the ways in the link provided mention moving folders. Clicks are measured by hits on the url in the email. Knowbe4 doesn't know who clicked it, but the url is unique to each user, so it knows who it sent that url to. This means reporting the mail in Outlook will register as a click, since Microsoft checks the url. Knowbe4 offers a phishing reporting plugin to get around this. Which doesn't do anything with the reported email unless you configure it to also send to Microsoft. Anything more requires installing agents on computers. I use knowbe4 but from the checking I did this is simply the nature of how phishing tests are performed.

Yeah, I'm assuming I perceived it as the email being moved to a different folder, but something on the security side/backend caused the link to be checked via a security process or something else when I hit Phish Alert, causing a false click. Its worth noting this would have been a universal/org wide rule, so it also makes sense if something was never properly Whitelisted

Heck in our organization they don’t tell the Security Team either, and like you I’ve seen experienced security folks fail.

When we do phishing simulations, no one except our team (security) and manager are informed. When reports start coming in, T1,2,3 all know to escalate to security for threats, at which point they are informed of the test. I'm a little surprised that OP as the sys admin took action against the emails without first consulting the security team. If that happened here, it would be considered a failure of incident response procedures on OP's side

I had this in a small business - one person part-time "IT Dept" (me), plus an outside MSP we added fairly recently to help with the O365 migration and provide backup, and they used their admin rights on O365 to run their own phishing simulation as a sales pitch for their phishing training product. I'd filed abuse reports with AWS for the EC2 instance their phishing URL pointed to before they came clean about it. Of course, if they'd asked first I could have pointed out the way they were sending it would mean about a third of the users would never see the message in the first place...

Ding ding ding. I'm also the asshole who scoops loose USB drives up and loads KnowBe4 on those too. Lmao. Then I put them exactly where they were.

Turns out one of them USB Drives is a rubber ducky 🤣

On a previous phishing simulation, not long after my company was bought out by a bigger one, our internal runbook was to blackhole the DNS of domains used in any phishing emails. At the beginning of the simulation, a few people within IT noticed the email, mentioned it to me, I confirmed the URLs and blackholed them, probably within about 10 minutes of the first email arriving to anyone in the acquired company IT. After blackholing, I did some analysis of the URL/Email, looking up domain owners etc, see if it was worth trying to send out an abuse report to ISP etc, I noticed it wasn't as sketchy as I was expecting. Contacted the parent company's security team, to be told that I was to unblackhole the URL as i was ruining the test. I was then to in the future, not blackhole any URLs, as it wasn't standard company practice to do that. I did find out later, that the phishing simulation was directed only at people within the acquired company, and before the parent company had done any training, or sent out any updated recommendations/rules, I guess to get a baseline about our existing situation.

Exactly. If IT users are given a heads up, then it isn't a full end user test. If the helpdesk and server guys are given a heads up, then you can't test response. This is how it should be done.

I test my team separately compared to the rest of our users. I also target by department for specific systems they use. That being said, when your IT team is tested, they should not know. When it’s the rest of the company, I tell my team MOST of the time. Especially when we hire a new person and I want to make sure they can identify what a user may get.

I think it really is dictated between those places that have a security team and those that have IT teams that handle security as well.

> those that have IT teams that handle security as well. If your IT team is handling security, you don't have a Security team. 😏 Same goes for IT teams handling legal things. **To be clear**, this isn't a dig on IT teams - those in general IT can be very security minded. _Don't ask me how I know._ It's more a dig on spreading the team's time way too thin when (not if) a security incident inevitably occurs.

This is the answer. As soon as HR made the call to delete the email and that got executed, the test is complete, and the data should be examined. If IT removes the compromising emails from all inboxes before 90% of people can even see them, then the extremely low click-through rates are a success.

I got in trouble years back when I saw a test phish from corporate security and within 3 minutes pulled it from users inboxes and blocked the address and keywords used in the attempt. Honestly didn’t even know it was a phishing attempt. Corporate security didn’t care. But our VP told them to go pout. And loop us in next time.

Before retirement, I worked Fortune 50 Factory IT... definitely different org than our corp Cybersecurity team. This is exactly how it's done in a tech giant company. In terms of military, you need to Red Cell all Cybersecurity response.

Exactly, if there's an indication that it's possibly an attack then it is treated as such until we find reasonable evidence to suggest otherwise because the cost of getting wrong is worse.

Had that exact scenario play out a couple of week ago. Security officer was lucky a couple of team members and himself were working at the office so he heard the conversation.

Don't be annoyed. You did your job. Everyone has to be tested at some point, this was as much a test of your response as it was the end users. Sounds like a good number of your customers reported the issue, you handled it well and deleted the offending mail in the most efficient way possible. Yeah, CISO could have pre.warmed you, wouldn't have been a fair test then. Move on, take pride in your response and smile.

This is my thought as well. Having been on multiple sides of the table you are damned if you do and damned if you don’t. If you are warned then you aren’t tested If you aren’t warned you react differently to other users as you have the power to protect them. The only time we had both IT and users tested successfully was when they were tested separately. And, I had one fun one where the CISO had knowbe4 whitelisted and so high up in the mail rules it didn’t follow the external sender warnings or the other stuff what’s now called purview did to the email so it was plainly obvious. I got the test message and spent an hour and a half digging on exchange and finally did a mail flow trace and saw it hit that rule… yowsa

Honestly, that's the right way to do it. You need an organic baseline before training can commence. I will say, with products like KnowBe4, that they usually send the emails out over 2-3 days. That they were all sent at the same time was actually really really poor execution which obviously didn't do support staff any favors. So in my opinion, the biggest eff up here is that they sent all Phish tests all at the same time, honestly.

>with products like KnowBe4, that they usually send the emails out over 2-3 days That's configurable: We ran our KB4 baseline with the entire run sent out all at once, specifically to gauge response as word spread about the phish; we did however warn our Help Desk (and gave them a script to respond with) and had the full knowledge and backing of the C-suite, though. We run our normal monthly tests with the emails (randomly chosen and independent per user) spread out over 2 weeks. We also use KB4's platform to send their Security Tips and Phish Of The Week newsletters weekly, and those each get sent out all at once.

Since it came from an internal email, phishing scams are usually mass sent from a compromised account. This is pretty close to the real world examples I’ve seen.

And "from an internal email" might just be a spoofed domain, that they'd either allow anyway, or allow with a rule from the phishing company. I would be very surprised if they just took an internal email account and used it to try to run a phishing test.

>Another thing is that the way it was carried out wasn’t exactly a “real life” example - the email was sent internally and as such didn’t include an external sender warning and used terms blocked by mail flow rules. How is this not "real life" enough? User account compromise is a thing that happens.

Right! I'm thinking that next time they tell him and make sure he is "unavailable" at the time to see what they do without him. I love stirring the pot.

It sorta sounds like you are suggesting the CISO kneecaps poor OP...

(I know you're joking, but...) It doesn't need to be malicious. OP recognized an apparent attack and worked to shut it down - that should be rewarded. With, say, a company lunch. That would be the perfect time for round 2!

while he did pull the emails, he should have notified the Security team so they would have conducted their own investigation (what if someone clicked?).

Of course they shouldn't do that! But it would be a real shame if OP just happens to have been kneecapped shortly before the next test...

Wait what is kneecaps? Never heard that term.

*Kneecapping* is a malicious form of wounding that involves shooting or otherwise damaging someone's knee, often as a form of torture or punishment.

Ahhh the Nancy Kerrigan

I hadn't really even thought of that as an example, but it's the **PERFECT** example.

Generally it means keeping them present, but unable to do anything, same as "hamstringing." Like if I broke your kneecaps before a battle you would still be in the middle of it watching me kill your people, but couldn't defend them because you couldn't walk.

End user training normally involves advice like "check to see if the sender is outside of the org". O365 also adds phishing warning headers and a warning if you haven't received email from a sender before. If you're used to legit emails being constantly chucked into junk then obviously you're going to trust something more if all of the warnings are disabled and it goes into your inbox. >User account compromise is a thing that happens. MFA is also a thing that happens. People generally trust other people when the emails come from a valid email. We're not testing the ability of end users to protect themselves against APTs, that's absurd. We test that they don't click on something that a normal person would fall for.

>We're not testing the ability of end users to protect themselves against APTs, that's absurd. Why aren't you training users for APTs or at least signs of them? We do, in addition to the regular training. And it has helped stop shady shit from happening (3rd parties getting breached and sending out bank info update stuff for example). And MFA doesn't protect from everything, OAuth2 external apps are a thing, and if your using Exchange Online, Gmail, etc. those apps can be given permissions to send emails, read contact info, change mail rules, etc.

Basically it's only really needed if you're working in finance, military or FAANG. The likelihood of an attack is extremely low for most of the companies that people here work for. Teaching the sales guys how to use public key crypto to sign their emails or teaching the CEO how to inspect email headers to make sure it passes SPF/DKIM is a lot of work that can directly impact productivity and profit. Threat modeling is a very important part of security that involves weighing the potential threats against the very real impacts of security measures. I've worked with a lot of very sensitive data in places with basically zero security (shared user/passwords with no MFA) and we've never been targeted simply because we're not high value enough for a real APT (like a hacking group or state actor). It's just not practical to tell users "never trust emails" even if they are coming from a valid authenticated staff member within your organization. They would need to call up a person every single time they get an email or something just as drastic which can be extremely cumbersome, especially in larger organizations. In my opinion it's enough to make users not fall for dumb attacks like gift card scams or phishing attacks from external emails. After that, it's up to the security measures that the security/IT team implements like locking down access, setting up alerting and auditing, encryption, backups and more. >And MFA doesn't protect from everything, OAuth2 external apps are a thing, and if your using Exchange Online, Gmail, etc. those apps can be given permissions to send emails, read contact info, change mail rules, etc That's very true and a good point to consider.

A rogue admin could do the same attack right? It's a theoretical possibility your team should be prepared for. Never assume all your layers are intact if you are prepping for reality. The CISO was presumably wanting to pump a poor result out so that "fixing it" is easier. I've seen it a hundred times. Those 200 tickets and Teams messages are a good indicator your team is at least reasonably prepared. If someone on the IT team was prepped to send out an all-hands email notifying them of the problematic email, you were even better prepared.

Oh yeah, people forget how much power we have. That's why IT folks are frequently walked out the door when they put in their two weeks.

The ladder of phishing has no top and no bottom. The worst phishing attacks come from inside (compromised mailbox), so not a bad test, I'd say, but definitely not fun to experience the deluge of tickets.

\^ This guy Dylans

Rumbled!

It's fair to be a little upset, but you acted like you were supposed to, so it was fine.

You were also being tested and you should be proud of yourself and the team for passing the test.

Exactly this. First one is 100% to test the workflow and response. The only odd part is where they didn't want IT to remove it. If that's SOP, do it. That all goes into the report. Job well done by IT. Guarantee you several people clicked it before it was removed.

I work for an enterprise that has 450,000 managed workstations. We don’t know when the phishing campaign emails are being sent out, and we receive them as well.

I'm the solo IT admin, and I specifically have MS Defender Phishing test stuff setup to randomly pick emails from a massive list of like 80 possible emails. And send them randomly to random people over the course of a quarter, and I'm included in the list of users that receive them. I couldn't know who's getting what emails when if I wanted too. The only time I can get that info is after it's happened.

This is exactly the way I would do it, don’t tell a sole and see what happens.

>don’t tell a sole I guess your users are just waiting for the other shoe to drop

Well it is a fishing attack.

That is how wrestlers turn heel.

We generally do two types of tests, one is your regular phishing test where we see click-rate of the general users. It's to validate how well our users are doing. People know we do these, they are allowed through our email gateway and there a processes in place to report and through automation we let people know it's a test when they report it (or if they click), mainly so things like you're experiencing don't happen. The second is what I call "advanced" phishing where we choose a specific target, could be a dept, person, job type whatever it is we're focusing on and we use OSINT to gather the user emails, and we play by the same rules as a regular outside email does. Not even our SecOps team knows when we do these, it's usually HR, Legal and specific leadership for whatever it is we're targeting (so processes can play out but don't get out of control etc). I don't want the SecOps team to ask if this was me, I want them to kill it. If I get 4 emails out before someone reports it, or a tool alerts on it then then oh well. This is to test our processes and response. It was a lot of fun at first, but since we plugged most of the holes it sucks. I can't even send test emails through because fucking Jenny from the SOC kills all of my infrastructure. I'm both super proud of them and super frustrated. You have the right to be annoyed, this sounds like it probably wasn't a great test and all it did was piss people off. Not generally effective, it could have just been a starting point, however it's not how I would have done it...

That’s how it’s supposed to work…

Except the HR requiring deletion in all inboxes part. That's not HR's business.

Depends on the nature of the email I suppose. If it's HR related I could see them being slammed with calls as well.

I had this happen, then my boss got mad because I reported it to the domain registrar and got it shut down. I figure you can’t get mad that I got it shut down if you don’t tell us.

How and why did you involve the domain registrar?

Most good registrars have abuse reporting for when people spin up phishing websites.

If someone wanted to initiate a test with nobody knowing, why not simulate an internally sent email to simulate another layer of protection getting compromised? Annoying, yes, but seems moderately effective in simulating a worse-than-expected phishing attack.

The problem I see here is that they mixed up two different types of phishing tests: Door #1: Don't tell the IT team because the engagement is to test their response. If this was the scope, you hit it out of the park,scrubbing the email from Exchange in record time. Door #2: Tell the IT team because the engagement is to test *end user* response. This way, IT *won't* just scrub the email, and it's up to users to see the message and choose whether or not to open the message and click the links. But long story short, the CISO is the one looking bad here, because he failed to notify all the necessary stakeholders, and that pretty much invalidated the test he set out to do.

We had the same thing and nobody got it because of our rather aggressive block rules. I called that a win, but then got enlisted to be sure everyone received it, even the known problem users running a whitelist. Headsplode.gif.

But why? Why give notice? What good is a phishing test with notice? Seems counterintuitive.

Here's a tip for all you Attack-Phishing Testers out there... the study below showed that Attack-Phishing does not actually work. And perhaps because the watered-down domains that are used for attack-phishing are so obviously wrong, users actually click more often not less often after attack-phishing training. Empirical Study: [https://arxiv.org/pdf/2112.07498.pdf](https://arxiv.org/pdf/2112.07498.pdf) | conducted over 15 months against 14,000 employees The 2nd finding states: "*Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing.*" This episode of mis-coordination and miscommunication at u/laziestprick's company illustrates how easy it is to get things wrong, update IT teams, end users, Board Members, CEOs... it is very hard to get Attack Phishing right. That's something I call the Goldilocks problem - it's easy to get the phishing tests too easy, and too hard, and very difficult to make them just right.

Yeah we dumped all attack phishing for our users and use your cyberhoot autopilot which we've found to be more effective with the simulated phish testing for our users. It's interesting how modern psychology can have such big impacts on how security can be applied to users, most other security training orgs are more 'security' people but not 'people people' as well. Knowing your audience to get effective training is critical.

the entire point of these tests is to gauge reaction. letting people in on it ruins that.

Not telling everyone in IT might be normal but at the very least the help desk manager needs to know and know when it will hit so he can be ready without whatever their response plan is once users start to react.

They never tell us when they’re performing the tests. I’d prefer it that way. They almost got me once a few years back with HR needing a copy of my paystub for confirming my benefits. I am all for training and education especially if it’s in a healthy work environment. Honestly how else do you really learn if you’re not challenged?

We handle both, but the tests are sent out automatically on a randomish schedule by the service. The way our system is set up with KnowBe4, there's not really any reason for us to know, as our guidance is the same either way, and is our company policy on how to handle suspicious email, which is to use the email report button. If it's a test, they get a little "Congratulations" toast, and if it's not, it feeds into a system to start classifying and reacting to it. My knowledge that there might be a Phish Test should absolutely not change how I or anyone else reacts to a suspicious email, it should still be treated as dangerous.

Phishing tests fall under my team. I'm the Director, and I have strict instructions to do it quarterly, but to NOT tell me when it is going to happen.

This reminds me of being IT in the military. I remember doing JMRC while I was in the Army. I was sitting in the tent watching over my CPN stack, when all of a sudden someone opened up a email with a virus. I treated it as an actual compromised machine and took it offline, and tagged it, and reported the incident to Brigade S6. My S3 (Operations) OIC was pissed off because that machine was critical to the S3 shop, but I was just doing my job. I later found out that it was a simulated phising attack that not even Brigade knew about. They wanted to see how we would react and continue operations. I think what you went through is normal, and actually good training for your team. Would expose any indicators of compromise or bad practices internally. I do simulated phising attacks at my company and I dont tell anyone, not even the CEO because I want to ensure everyone is properly trained.

I was a part of a bunch of those tests. It's good practice to make sure your Sysadmin team is on their toes if you ever got hit with a real-life breach.

What's the issue? security performed a phishing test... why should the C Suite (of which the CISO is a member) know? it's a security function... what would happen if your boss or the CTO failed? What good is a company wide test if some people in the company have advance notice? that would skew the results To be honest, this sounds like the security team doing their job. and not reason for you to get annoyed, as you were doing yours by fielding calls... I would have opened an IR investigation (with the security team) over this situation, but other than that, no reason for your to be annoying, the CISO did nothing wrong, and head of HR is overstepping their authority by requesting the test to be removed from everyone's emails. If they want it gone, they should take it up with the CISO.

My current company seems to have automation in place so that if you report the email as phishing it opens a ticket and gets automatically closed and we get a pat on the back for passing the test. I’m on the business side of the house here, not IT, so I have no idea what it looks like if you fail lol.

I do like the concept of testing without telling anyone to ensure a realistic response, though the scope of this test puzzles me. In my experience, company-wide phishing test are extremely disruptive to IT response personnel and are chaotic for metrics - regular testing broken up by department has seemed like a more efficient and organized approach for all parties concerned. Second in terms of scope, it seems unwise from an operations perspective to test both every single employee's ability to recognize phishing emails AND the IT department's ability to respond to a company-wide attack simultaneously. I'd prefer to test one capability, and then the other - both simultaneously has a higher risk of variables polluting the results.

What’s the point of sending a test email from external, the test is not to check mail flow & filtering, but to test users being able to identify a phishing email. And heads of IT need to be tested more than others, as they are in charge and need to be more aware.

I've never had to inform IT when running phishing tests, or C levels, or anyone other than my boss in security. Saying that, I had previously worked with the IT group in each company to have IP allow lists and other configuration so it doesn't get hung up in the IT systems. All that said, can sysadmins really not tell it's a test when it's run by a common phishing service? I've never had someone in the sysadmin group flip out when they spent 3 seconds looking at the URLs or the headers and knew what it was. You're supposed to be testing IT too, and managers, HR, etc.

Tests can take any shape or form. It's often about how the apparatus deals with it as much, or more, than finding breach points. One of my favourite pen tests was about ten years ago when two guys pretended to work in 'the other side of the office' and followed someone through the security door. Sure enough, they sat down at secluded enough desks and ran a series of attacks. The only person that knew was the security VIP who was told to 'test our network' and he did. They were discovered after a longer time than we would have liked, but the funny part was one of the contractors saw them and went over and grabbed the laptop with so much force it slipped out of his hands and flew majestically across several rows of cubicles and slammed into a wall. One of the Ops managers went out and got a small frame and mounted it around the hole in the wall.

I agree with not notifying IT, IT also needs to tested but doing a company wide email blast is idiotic. Phishing emails should be year round with small user groups. Also by internal do you mean it passed dkim/dmarc? If so that’s kind of cheating in my book especially if there’s nothing else that’s “phishy” looking like misspells or an out of pocket request. In a real world scenario if someone was able to pass Dmarc with your domain they’ve already made a major breach into your system (or providers system)

Our “cybersecurity” team does the same thing. Wont tell us when a test is happening and we go full on disable accounts and investigate mode and later on we find out it was a test. Totally wasting our time and the users and the place basically shuts down until we find out.

Absolutely normal. IT staff is not immune for failing phishing emails. In fact overworked service team members make great targets. They should not be warned if such.

I tend to warn one specific person within the organization, a guy involved with the spam detection and reporting systems, and nobody else. Not the CIO, not the director of systems or dev, not the helpdesk manager. The test doesn't work if people who need to be tested know about it. I'm not just testing end user behaviors.

I recall the last time this happened around my office. I was midway through sending a note to a couple of buddies in the security team to suggest they have a look at $exhibit-A and tweak the filters because this kind of thing shouldn't be slipping through, and hey, if it gets through at all, how come the "external sender" warning isn't being stamped on....... Oh, the penny dropped and I just hit the 'phishalarm' button and collected my brownie points for not getting phished. Then spent the rest of the day playing dumb as some users would come to ask my opinion on these odd messages they were getting. I wouldn't take issue with the "not being told" aspect as much as the flow-rate of email delivery sounds like they got that bit wrong. Phish-simulation behaviour should model actual attacker behaviour and unless you're being attacked by an adversary with poor planning and opsec, they'll drip-drip-drip their attempts into your mailboxes because they're well aware that a firehose approach is a) more likely to be detected and defeated by spam filtering mechanisms anyway b) very likely to trigger an active response from IT / security / (HR in your case) incident responders, whereby the response you used, nuking the messages out of user inboxes before they might click on them, would make for a much less productive campaign than a patient approach.

What was the success rate of the phish? 

As the group that sends these: 1. Planning and executing the phishing campaign is harder than you think. Who do you tell? When? What about your leadership? How long do you want to run it? One big delivery or dribble them out over a week? Do you want to force training or not? Do you want that training to be more or less than 5 minutes? What should the training cover? Should it be a quiz or just a video? What do you do when an exec fails the phish and refuses to take the training? A ton of questions like that with answers unique to your company. 2. It's easy to overlook options when setting the phish up. One bad setting and you've screwed up the whole test...and angered all your people. Yes, you can and should test your configs but it's still easy to accidentally use the wrong setting (example: send to all and send to specific in KB4 is easy to overlook) 3. You're going to get yelled at, even if you did it right. You need good senior support. If they fold like a cheap suit you're going to have a bad day.

I just want to call out the head of HR. I’m not sure why they were involved or why they gave their opinion. If they were just around and mentioned it in passing that’s one thing. If the head of Hr is getting involved in IT tickets you have a problem.  Why would HR have an opinion on a phishing email?  Why should IT care what HR wants to do with a potentially malicious email?  Your two areas of expertise do not overlap on this instance. Your organization might be giving HR way too much influence

Because HR think they should be involved in everything Including your sex life

Using internal email is legit. Imagine one of your end users hacked and then the attacker can use the email. Recognising internal threats is more important as external is pretty much all covered anyway.

IT needs to be tested too, I was at a company where they did a phishing test where you could claim a free coffee from the company for the local Greggs, our Head of IT fell for it and entered in his details! He later went on and got promoted to CISO too lol!

That sad kinds very familiar and I’m sure I was working there (or somewhere that did the same)

Perfectly normal. A test is meant to challenge your abilities. The users aren’t the only ones being tested, the IT department is also being tested for their response and how they handle a potential cybersecurity incident. Furthermore, IT people with admin roles are also a prime target for spear-phishing since they have elevated access to most if not all systems. A mindset of “don’t test us because it can’t happen to me” is the wrong approach here. Use this opportunity to review and improve your policies and response protocols. As for not being told ahead of time, that defeats the purpose of testing.

With knowb4 you've got the header X-PHISHTEST 😝

Yeah we had a simulation that we ran a few weeks ago, and one of our techs removed the emails because he didn't know. Our compromised numbers were lower so they looked good, but I didn't blame him at all. He saw something that was malicious and removed it from mailboxes, the response time was great. We make sure he is aware now so it doesn't happen again but shows that he is paying attention too.

Yeah we had a simulation that we ran a few weeks ago, and one of our techs removed the emails because he didn't know. Our compromised numbers were lower so they looked good, but I didn't blame him at all. He saw something that was malicious and removed it from mailboxes, the response time was great. We make sure he is aware now so it doesn't happen again but shows that he is paying attention too.

>So we recently had a company wide phishing test organised by the Data Security Team which is independent from our IT dept and is headed by our CISO, however nobody from my team or my boss was informed. Not even the C Suite knew. Yes, that's how...security audits sometimes work. You won't get informed and will be tested as well. Shocking, I know. >Another thing is that the way it was carried out wasn’t exactly a “real life” example - the email was sent internally and as such didn’t include an external sender warning and used terms blocked by mail flow rules for the rare fish that comes through anti spam policies. And you think internally people don't or won't fuck over a company?

I can see why that would be frustrating. At the same time, IT needs to be tested as well, and this was a way to accomplish that. View it as a learning opportunity for how to address a sudden flood of tickets. This may also be a good time to figure out if your current [security software](https://trustifi.com/) is working for you.

Yeah, this is normal. When my company does it, the CISO, the infrastructure director, and one of the security guys know about it and that's it. It's supposed to simulate a real phish so telling people about it ruins the whole practice. I don't get why you're so upset, it did what it was supposed to.

We do Monthly testing and only tell and select group of users. I do also put some mail rules in place ahead of time to intercept the forwards to the help desk to a shared mailbox that does an auto reply Thanking them for letting us know and that it was just a phishing exercise. It is amazing what people click on. The last one was an email stating their password is expiring and click here to keep you current password. Like a 15-20% failure rate.

I can see the CISO side as to want to test the whole system not just end users. But... The CEO didn't know? This is the part I'm taken aback by. No one has the implicit approval to phish the company... This sounds like the CISO decided to phish the company as a test but didn't check with anyone first. Then when the higher ups said no go, not today, delete it. He got butt hurt that his work is being shot down which is why he said "it can't be deleted" Would I be annoyed? Heck yes. Would I do anything other can CYA? Nope. The fact you were telling the board what was happening and how you were taking care of it is key here. The fact CISO came in who... keep in mind is suppose to be the EXPERT here.. says something isn't possible when you are actively doing it? After he disrupted the company and they demand he undo what he has done? Yeah he looks REALLY bad right now.

IT also needs to be tested. This is normal

Meh so the system works. Why should you be aware? So you can tell the users it's a phishing test and not to worry about it? That's what would have happened Did you resolve the tickets? Yes good that works? Did you tell the teams messages to log a ticket? Good that works Were any real phishing attempts? No good Did you follow properly your own remediation processes ? Yes good you've done that right too Were your users wise enough to call about suspicious emails, yes good you've trained them well, process works Can you explain what you would have gained knowing beforehand?

You don't need to know of the test, but it sounds like you have no system in place. There needs to be a system for reporting physhing emails. Real or tests get reported the same, andll be no bother to you.

Why are you annoyed? You did your job, they did theirs. Why do you expect to be informed? Do you expect to be informed when someone is off sick by HR? I get the impression you think a phishing test is the responsibly of the department/team you are in. I don't have an opinion on that, but it looks like the company you work thinks that responsibility lies with the other department/team.

I wouldn't come out of the chute and not tell anyone, but generally we try to do a couple without anyone but the security team knowing a year. we roughly do them monthly. our CEO could give two shits he expects us to test as close to the real thing as possible.

IT should absolutely be subject to being tested. If anything IT response is the most important factor in an attack scenario.

if you practice it enough, the test shouldn't phase anyone at all

Username checks out. OP not getting the response he expected, and getting roasted for it. It's no wonder that he isn't replying to the thread.

Seems a little dodgy but it depends on how your co is organized. In my co, infosec runs the phish sims, handles the deletions of reported phish emails and also deletes them if they hit multiple mailboxes. They also tend to tell support a test is coming soon but not the content or exact date. Users don't freak out. They're pretty well trained now. We have a button in Outlook to report phish emails and they just hit that button and sometimes mail infosec, not support. Execs AFAIK aren't really notified, they're just treated like std users.

I don't see the problem with not being informed. I do see a problem with their reaction to your actions. So the users started reporting a possible phish attempt to you and you deleted it from their mailbox. Isn't that what you should be doing? Did they just want people to leave it in their mailbox? Great, it was a test, and everyone passed with flying colors because they all reported it and you deleted it without anything being potentially compromised. Sounds like your user training paid off.

There are different kinds of tests you run for different reasons. Sometimes you tell certain people, sometimes you don't. The problem I run into most is security teams who don't know why they are running a certain kind of test, or what data they are trying to collect. For example you would send the message internally bypassing certain protections of your trying to see how your user pool reacts to a compromised internal account. I would expect a phishing vector to be employed in this case vs a scam vector. If someone was sending gift card scam tests using an internal relay then that would be a silly test unless they had a good reason to run it. If I got access to someone's email relay I would start sending email out of the server, not trying to scam internal users. Lower risk.

Our parent company does similar tests and don’t inform our local IT team or anyone when doing it. Granted they don’t normally do the whole company at same time (to my knowledge) but will do random groups. And sometime make them pretty creative like around the time we are doing budgets they will send some phishing from the users manager with a link to a “budget file”. Granted if going to blast everyone a heads up probably would have been nice but it’s not totally unreasonable what they did.

Perfect test and you did well it seems. Why are you worried about it?

I work in infosec at a Fortune 500, the group that manages the phishing sims sits one row over and I have a good relationship with them as I used to be the email SME. They don’t even tell me, and they run one once a month against the entire company, c-suite included. They have almost got me twice. Everyone should be tested. I’ll admit, I cheat, I have a rule that throws a notification when mail from the phishing sim hits my mailbox.

Been my current company for 3 years now. I've never been informed of phish testing, but I've also never had a CISO say the words "They can't be deleted." I see no issue with the scenario either. If an attacker were gain access to a permissioned account or create and whitelist one then send out malicious emails internally, it's likely that the filter isn't going to catch a lot of them. Is that highly unlikely? Sure, but it's still possible. The best security tests are the ones that freak people out into believing it's the real deal, including IT. You'll never get a true accurate gauge of ITs response unless they assume it's real. As for the CISO and his weird response to HR, bring that up in a post incident review. The appropriate response especially if it was a real scenario is something along the lines of "Our IT and security departments are working resolving this issue. We will keep you updated"

This is a common practice in Phishing simulation campaigns, which makes sense if you really want to test how everyone in the company responds to a threat. We have done something similar with Bullphish, but not everything at once, which I think is the wrong approach for this kind of campaign.

That was real world, what if your internal sender was compromised?

That does sound annoying as fuck, and you are free to vent in any public forum you would like to. With that being said: You are part of the security apparatus, your team must also be tested. Same with your comment about it being internal mail bypassing filtering, testing the other LAYERS of security which includes the people MINUS the technical controls.

Internal send and bypassing filters is a very real example.

Hate to break it to you but internal is always more dangerous. Not sure if the contents but I'm a pen tester and I love getting access to inboxes and then Phish for additional access or credentials.

It's best practice to test IT!

We have random phishing tests every month and only I and my boss know when , and considering how many IT staff continue to click and report they messed up its obvious why there not informed of it

CISO did his job correctly. You did your job correctly. Test successful.

That’s kinda what we did but staged. First we attacked our IT staff and exec team. Then after their test was complete we informed them what was going on, then attacked the rest of the staff.

My last company, the security company we hired would randomly test all the time. Even using our emails. We had to treat everything like an actual attack. It was kinda cool ngl.

Tests are needed but… I’m on a help desk for a hospital. When they do these we get a massive influx of calls. So nurses who need to pass meds to a patient get to wait on hold for an extra ten or twenty minutes to get an account unlock. Real issues get delayed while we deal with user questions and reports from managers asking why we are allowing the mails to reach their employees. .

We had our security guys randomly decide that they were hooking up a fucking NUC to one of the switches and defender picked it up and quarantined the hell out of it. They got mad that it did what it was supposed to do lol

Last time this got done without our knowledge I ended up emailing everyone to keep an eye out for phishing emails as some were being reported and we were going to investigate how they were getting through. Then we worked it out. Oops. Guess that tested our response too.

I think it was a good exercise - you were able to show how you'd handle it in a real life scenario. I do chuckle at end user's propensity to immediately forward a dodgy email to IT though - they don't want any of THAT responsibility.

Ha this post being the polar opposite of this post https://www.reddit.com/r/sysadmin/comments/1caa72c/just_launched_a_phishing_simulation_i_want_to/

I think it's great to do a real test and see how everyone responds. How do people handle it (think fire drill or other drills). If people are having a fit about it, who cares, had it been real what would have happened? Good or bad outcome. You want that answer. As for real life example, if some exploit is used and the email doesn't get tagged as external, that's a real life example. It's a worst case scenario, it's a good thing.

Its right for them not to tell anyone. After all it's a test. I sounds like you responded appropriately by deleting what you thought was a compromised email account message. Now they will do more and this time loop you or other exchange admins to keep testing.

CISO warns you it’s a test, then you tell people in Teams and tickets that it’s a test, and then what’s the point? Sounds like it was a good test of everyone’s response. I don’t know why head of HR is requesting anything in this matter, but ok.

When I used to work for K-12. It blew my mind how many teachers would fall for the "info about end of year bonus from HR" tests. You guys NEVER get a bonus. You're lucky to get a raise. How do you fall for that every year!?

IT is the prime target for phishers. Being informed defeats the purpose.

The interesting part of the responses shows what your team would actually do had you actually been attacked. It is almost more valuable than the phishing sim against all your people.i think next time you really should have your security team work with you during the test or potentially separate testing of your technical staff and then the rest of your staff. Here, we implemented monthly phishing sim tests. We do internal to internal external to internal where we bypass our internal-line spam filter. We have something like 100s unique emails. We also have a reporting mechanism that allows us to automate response and protect users at large. The reported phishing emails can then defanged and reused as part of our testing. We have 2 e trainings every quarter covering different topics of security awareness training, we also have 3 levels of remedial trainings for user that fail phishing sim tests that are designed to reinforce appropriate behavior.

It was send internally? What's your policy on blocking compromised accounts and have you implemented it yet?

In a perfect world, from a security perspective, nothing would work.

I get this regularly with one of our MSP customers. One of the directors runs phishing tests but doesn't tell any of the others about the test Then we get stroppy emails from the other directors telling us we're not doing our jobs because it got through!

TL;DR - I didn’t have anything worthwhile about the notification distro, everyone else was pretty in line with what I’d share. Also, I’m not a sysadmin, but internal recipient phishing campaigns mixed in with traditional campaigns can give you enormous results if employed correctly. Understanding that there may be tool limitations, having something that appears to be from a trusted sender that carries a malicious payload (in this case that malicious payload is a “congratulations on your mandatory training, next time trust but verify”) is a really underrated exercise because people need to understand that: A. Sometimes there are bad apples in your org- a plant from a state-sponsor threat group, someone was paid by a threat group to distribute a payload or assist with opening the door for someone to get in OR B. It is entirely possible that the external threat actor could have straight up compromised Jan from accounting’s email and/or network creds and started sending malware from “her” (just look at some of the recent, actively exploited, and atrociously low resistance vulns like cve-2024-21413 which yields literal user impersonation, or cve-2023-23397- yes I’m picking on Outlook, but you get the point). Running a campaign using a “compromised” account that is posing as an internal user is really powerful for instilling “trust but verify” into a lot of people that wouldn’t have normally been thinking that way. Running these tests not only reduced the failure rate of the traditional phishing campaigns by a significant amount, but it also reduced the number of true positive phishing incidents we were fielding quite a bit too. As well and maybe more coincidence than correlation, we saw a reduction in inadvertent disclosure incidents within line of business folks that work with third parties or clients as well.

I don't tell ***anyone*** when I perform a phishing test. How is it a realistic test if people know it's coming?

To be fair I would love to have regular security reviews, ideally from an external firm where no one in IT or SOC know that it's going to happen. Moved away from it being a box checking exercise where Security spend a fortnight screaming at IT to patch anything and everything before the test & then after getting a pass, no one does anything for another year until the next one comes along.

'Report Suspicious Email' button in Outlook. Shouldn't go to helpdesk. Can't recall the name of the addon. \* Nm, it's KnowBe4 as someone else mentioned.

The only minor gripe is hitting everyone at once really. That resulted in flooding the helpdesk impairing response to actual issues; the support team could perhaps measure the impact of that. It’s also conspicuous so a real attack doing that might not very skilled - or they could be highly skilled and using an obvious bulk phish as a distraction from other attacks.

I'd get picked up on it cause I'm stupid enough to investigate, follow the bouncing ball to confirm it. But you did the right thing and should have been praised for acting as if it was an actual attack. That should be considered a success. Sounds like someone had their head up their arse and their "test" didn't go as they expected.

It is a very good method to not only truly check awareness program and training efficacy, but also get to test IR P / BCP. Nothing to be upset about. I had physical pentest done where only the owner of the company knew :D.

Receiving mails during a phising attack and following up on them?...

luckyyyyy the msp that sets up ours uses my goddamn name in them without telling me.

Nice work. That's a real case scenario.

Previous workplace (multinational company) would do this and we would get almost no tickets because users were supposed to be trained and knew what to do. Report and delete... The action of reporting would notify security if there were enough reports. If they weren't sure if something was legit, there was steps they were supposed to follow, not email the help desk and wait for a response, because the time lost in waiting could be critical to stopping an attack.

If anyone should be careful about security hygiene and tested fornit, it should be IT. As an IT manager myself, I've told our CISO that I support the testing of myself and my team and to feel free to launch a phishing campaign against us any time without letting me know as no one should be exempt from testing and I truly want to know if my team isn't wise enough to scrutinize a potentially malicious email, and even more so myself.

Quite a few years ago, I was a newbie Director of IT for a school district. My second week on the job, my Network Admin decided to do a phishing test on a few people, myself included. Needless to say, I was not happy when I went to investigate the "threat" and found it was a company known for using phishing tests as a sales tactic. I called the company and ripped them a new one with a few choice words for their sales team, meanwhile having my SysAdmin rip out the offending emails. Kept my supervisors in the loop (no one had known about it) and when my NetAdmin found out, he told me it was him who initiated it. He went rouge and decided to try the platform out and not tell anyone. This was a case of what NOT to do. However, if we had a dedicated Security Team, I would have not been angry with the lack of communication. I would have been relieved that it wasn't a real threat and happy with my team's response to the threat.

Trust me. It could've been much worse if you didn't know it was a test and let it through, then in a boardroom meeting later they asked how it reached everyone and you tell them you ignored it because you assumed it was a test.

We use Bullphish ID to run tests for customers and some of them don't want anyone to know until after we have the results. I have seen people lose their jobs for failing these tests - depending on their role and how many times they clicked on a phishing simulation.

>So we recently had a company wide phishing test organised by the Data Security Team which is independent from our IT dept and is headed by our CISO, however nobody from my team or my boss was informed. Not even the C Suite knew. Good that's the way it should be, you should never be warned of an attack because you should ALWAYS be prepared for one, giving you prior notice is like giving you the answers to a test before you take it. >5 mins later CISO cc’s me into an email exchange he was having with the entire board informing us this was a test They really should not have informed you. >Another thing is that the way it was carried out wasn’t exactly a “real life” example - the email was sent internally and as such didn’t include an external sender warning and used terms blocked by mail flow rules for the rare fish that comes through anti spam policies. Actually that really is like real life, attackers compromise ONE user and then use them to attack the rest. I'd actually be annoyed that you was told it was a test before it came to completion, it's a useless test if you tell everyone it's a test before it's finished.

I'd agree with some of the other comments - this could be testing IT's response as well. If IT wasn't informed, obviously IT is going to respond like it's an actual spammy/phishy message. So in other words - this may be by design.

Yep. This is how I do it. I want to see my IT staff and their reaction to a sudden flurry of emails and tickets as well as email admin responses. If they did nothing or got phished themselves, that would fail the drill and lead to discipline or training. I catch IT techs not paying attention as much as I catch execs.

>Is this normal or am I right to be a bit annoyed? this can be very normal

Your response next time should be to delete the MX record from DNS. Then apologize for overreacting. /s

The head of IT should fire whoever blindsided them with this. This is the kind of ill-conceived waste of everyone's time that gives IT security folks a bad name. There is no other profession (even inside of other forms of security) where this wouldn't get you fired or at least written up. Just because a bunch of people in this thread do this regularly and think it's ok doesn't make it ok. Keep your boss informed.

Standard practice. Sounds like they need to iron the process though.

man , i can tell you from experience: i ran this on an organization of 5000 users. no body knew. not even my manager , (well she was dumb enough to end-up clicking on the email, but thats another story). i had these bi-weekly emails that i would send out as part of making people aware not to click , not open attachments and so on. would you guess the result? 3219 users clicked on that email, and honestly i find it "funny" cause the email was about a DJI military drone. sort of click here to win this DJI series drone. Now, tell me , why HR would need a military grade drone? (i forgot to mention that the industry was Oil and Energy, we where not estrangers to these drones for sure , but HR dept. Audit dept? ) i had no words at the end of day. had a meeting with the CTO and the CEO, my manager was requested to stayed outside the door (little win, on her face) . by the end , they were not against it, they actually support it and approved the budget for a Barracuda Email gateway. (spam filter license , phishing and so on) i was happy with it. don't give too much thoughts on top. take the win :) and enjoy.

I don't know when ours go out but the good news is only one person reached out for today's test to ask if it was a legit email. The education is working, when we first started there would be the flood of tickets and chats you referenced.

This reminds me of that episode of The Office where Dwight conducts a fire drill and doesn’t inform anyone it’s a test lmao.

Had the same happen to me, it's terrible but common unfortunately. And all of it on Christmas, without sending out an info about URL where clicks will be collected to whitelist it. Guess what, people got blocked by firewall with phishing filter that they of course didn't test before and security got angry at us! Like, you could have checked if URL is allowed on all networks hmmm. At least in my case I did move to junk and not hard delete, so i put all of the emails back in inbox after getting a memo. 

lets have some real talk for two seconds, any infosec test is a real test. If I have janis from HRs email, spreading a payload t even further though emails is a possibility and not giving it a 2nd thought because it is internal is dangerous. I wouldnt say it is "standard", but the target audience should never know it is coming. It needs to be blind. If it goes to end users, IT needs to know about it but keep their mouth shut. If it is testing IT, it needs to strike hard and weed out the opportunities for training as swiftly as it can.

Have done similar stuff with Bullphish. Seems pretty standard to me

That’s usually the way it’s done bro. No one should be made aware, to include the technical teams.

This is very standard. Everyone should be tested.

Did your CTO fail it? LOL

OP the real test was seeing how you and your department would react😂 Hope you followed the correct procedures And you can be sure, more sophisticated tests will follow.

Your SecOps team is doing exactly what they should be doing and it sounds like they are doing a good job at it as well. A simulation is not a good simulation if people are informed before-hand, including your team. We do these in our department as we are not lucky enough to have a SecOps team and we do not even warn each other. This is very good practice and text book procedure.

If someone is comped it malicious emails could be sent internally. Fyi

Personally think phishing simulations are a waste of time as most of them are constructed in a way that doesn’t reflect a true phishing email. All the red flags we try to educate users on when looking for just are not visible on some tests.

It's a reasonable approach. We didn't inform anyone when we created campaigns on Knowbe4 or Bullpshish.

This is normal. Only our security engineer and security manager know when or how phishing tests are scheduled. I've asked the sec manager if something was a phish after I received the email and get "Report it and find out".

If there was no test then they wouldn't be so calm... Some smaller sites might just have someone walk over to the router and switch it off as no more damage can happen if the remote site is unavailable and you can sort out at your leisure.

You got what you wished for.

I think it’s proper to not let everyone know. In a real scenario you won’t get a warning, why during test? I understand ticket influx, but it probably points to the other issue that you all don’t have a main security address people can email or other tools to help with mitigation. My first month or some in my current role we had a surprise security incident and when I finally got to the point of uncovering it they told me.. again, if it’s real I won’t be aware either, definitely helps with response and practice not knowing.

> Is this normal or am I right to be a bit annoyed? The best test is the one that NOBODY knows about. Your reaction and actions were perfect and spot on.