- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
If you look at the headers, you can tell which ones are fake phishing and real phishing.
Please explain
Most companies add an email header like “X-PHISHTEST” to the phishing tests (and a corresponding spam filter rule) to ensure they don’t get caught by spam filters. If you look at the headers of a spam email, the company test emails will have that header.
Any company that does that needs to be sent on a mandatory awareness training for failing an obvious fake phishing exercise. It’s far too easy to whitelist that and send it to an “ignore” folder.