I once Caught a Phish This Big

One of the consistent things that I have experienced through my tenure at a larger corporation has been simulated phishing attacks. The idea behind these is that our security team occasionally sends out fake phishing emails to internal users to help them learn and understand what phishing may look like. My understanding is that this does two things: 1. inoculates internal users so that they can better recognize the real threat, and 2. provide a safe way to fail (so that way the users can learn from their mistake without having broader consequences).

In my almost 10 years of receiving these fake phishing emails, they’ve ranged from incredibly silly and jocular to insidiously hard to spot. I am not too ashamed to admit that I’ve clicked on at least one of these simulated attacks. That said I’ve often had an advantage as spotting the simulated phishing emails because I have always had a large number of outlook rules to sort my email.

I’ve mentioned before that I get a large amount of automated emails every single day. There’s alerts from systems that are having problems, there’s digests of automated processes, reports on data quality from ETL jobs, and newsletters/marketing emails from external sources. To handle all of this noise, I have had to keep very strict rules on what lands directly in my inbox, and sort everything else into appropriate places so that I can engage with things at the appropriate time. It’s the only way I know how to manage getting hundreds to in the worst case scenarios thousands of emails a day.

With that all in mind, for the first half of my time dealing with this deluge of emails, I have always had the simulated phishing emails sorted into my external inbox. That would items that are directly addressed to me but are from outside of the company. So when I got a screwy email that was either pretending to be internal or was something that I wouldn’t expect to see in my external email, it was pretty easy to see as a potential phishing attack and report it appropriately.

About four or five years ago, I saw a social media post about how these simulated phishing attacks often need specific headers to allow them to bypass internal security measures. You wouldn’t want your fake phish to get caught in the spam filter despite it’s misspellings and bad grammar. I decided to grab a phish that I had spotted from the trash and look at its email headers. Sure enough there were some specific headers that meant that I could even identify the tool our internal security team was using to send out these simulations.

I used my new found knowledge to create a phishing inbox to segregate these emails and Outlook rules to filter any simulated phishing attack into that new inbox. Then something unexpected happened. Phishing emails stopped obeying my outlook rules altogether. They went from landing in my external inbox to landing directly in my inbox. I wasn’t catching them into the inbox that I had designated for such emails. I thought I was being clever and the rule didn’t work. I suppose it was likely that around the same time the team behind this might have implemented something to have simulated phishes skip outlook rules, but I haven’t bothered to ask.

All that said, these emails were still sticking out like a sore thumb. I had emails that were claiming to be external emails like Amazon order invoices and landing in an inbox where I should only be getting emails that internal and directly addressed to me. It wasn’t too big of a deal to just spot them and report them much like I had when they were landing in my external mail. I suppose it would have made it harder to spot something that was incredibly close to an internal email we actually receive.

Then after years, I finally automatically caught a phish. My only guess is that something changed somewhere else in our email system and our simulated phishing emails are once again obeying Outlook rules. I can now have a simulated phishing email land in my designated folder, and market it as a phish when I see it.