Listen to this Post

Introduction:
Recent research presented at Oakland 2025 confirms what security leaders have long suspected: traditional phishing simulation tests fail to improve user resilience, reducing click rates by only 1.7% against attacks that succeed 30.8% of the time. The cybersecurity industry must pivot from blaming users to deploying technical controls and AI‑driven, people‑centric interventions that actually mitigate risk.
Learning Objectives:
- Understand why phishing simulations produce negligible behavioral change and how to measure your organization’s true vulnerability.
- Implement email authentication (DMARC/SPF/DKIM), phishing‑resistant MFA, and automated detection to block threats before they reach users.
- Build an AI‑powered nudge system and a positive security culture that turns employees into active defenders.
1. The Hard Truth: Why Phishing Tests Fail
Despite 56% of employees clicking at least one malicious link over eight months, training reduced failures by only 1.7%. The most successful lure achieved a 30.8% click rate. A 1.7% defense against a 30.8% attack is mathematically useless.
Step‑by‑step: Audit your own phish test data (Python)
import pandas as pd
Sample dataset: user_id, click_count, trained_flag, lure_type
df = pd.read_csv('phish_sim_results.csv')
untrained_clicks = df[df['trained_flag']==0]['click_count'].mean()
trained_clicks = df[df['trained_flag']==1]['click_count'].mean()
reduction = (untrained_clicks - trained_clicks) / untrained_clicks 100
print(f"Training reduces clicks by {reduction:.1f}%")
Run this on your simulation logs – you’ll likely see <3% improvement. If your reduction is higher, your simulation is likely too easy (e.g., using known test domains). Instead, measure real email gateway blocks and MFA prompt fatigue.
2. Deploy Email Authentication Protocols (DMARC, SPF, DKIM)
Block phishing at the gateway. These protocols prevent domain spoofing and direct‑to‑inbox attacks.
Step‑by‑step for Linux (DNS management)
- SPF – Publish a TXT record: `v=spf1 include:spf.protection.outlook.com -all`
Verify with: `dig example.com TXT +short`
2. DKIM – Generate keys (Linux):
openssl genrsa -out dkim_private.pem 2048 openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem
Add public key as a TXT record at selector._domainkey.example.com.
3. DMARC – Create a TXT record at _dmarc.example.com:
`v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100`
Test with `dig _dmarc.example.com TXT` or online DMARC checkers.
Windows (PowerShell) alternative:
Resolve-DnsName -Name example.com -Type TXT | Where-Object {$_.Strings -like "spf"}
Resolve-DnsName -Name _dmarc.example.com -Type TXT
3. Implement Phishing‑Resistant MFA
SMS and push‑based MFA can be bypassed via MFA fatigue or SIM swapping. Move to WebAuthn (hardware keys, Windows Hello, or platform authenticators).
Step‑by‑step for Azure AD / Microsoft 365 (PowerShell)
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
Enforce hardware key (FIDO2) for all users
$params = @{
"@odata.type" = "microsoft.graph.authenticationMethodsPolicy"
authenticationMethodConfigurations = @(
@{
"@odata.type" = "microsoft.graph.fido2AuthenticationMethodConfiguration"
id = "Fido2"
state = "enabled"
isAttestationEnforced = $true
excludeTargets = @()
}
)
}
Update-MgPolicyAuthenticationMethodPolicy -BodyParameter $params
For on‑prem Linux: configure `pam_u2f` so SSH and sudo require a YubiKey:
sudo apt install libpam-u2f pamu2fcfg > ~/.config/Yubico/u2f_keys echo "auth sufficient pam_u2f.so" | sudo tee -a /etc/pam.d/common-auth
4. Build an AI‑Powered Security Nudge System
Instead of punitive tests, use just‑in‑time AI nudges when a user clicks a suspicious link. This reduces click rates without adversarial simulations.
Step‑by‑step using Python + Gmail API (detect and respond)
1. Set up Gmail API credentials (developers.google.com/gmail/api)
- Monitor incoming email for known phishing indicators (suspicious sender, urgency words)
3. On detection, send a Slack/MS Teams nudge:
import requests
from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build
def send_slack_nudge(user_email):
webhook = "https://hooks.slack.com/services/XXXX"
message = {"text": f":warning: {user_email}, the email you just clicked contains phishing indicators. Do not enter credentials. Alert security if already clicked."}
requests.post(webhook, json=message)
Scan email (simplified)
creds = Credentials.from_authorized_user_file('token.json')
service = build('gmail', 'v1', credentials=creds)
results = service.users().messages().list(userId='me', q='is:unread').execute()
for msg in results.get('messages', []):
Analyze message content – if malicious, call send_slack_nudge()
pass
Run this as a cron job every 5 minutes. The nudge reduces repeat clicks by up to 40% in production environments (per 2024 USENIX study).
- Create a Positive Security Culture – No More Adversarial Testing
Replace secret phishing tests with open communication channels and easy reporting. Users who feel trusted report real attacks 3x faster.
Step‑by‑step: Set up a reporting bot (Microsoft Teams)
1. Create a Teams channel `phishing-alerts`
2. Use Power Automate or a custom webhook:
{
"type": "AdaptiveCard",
"body": [{"type": "TextBlock", "text": "Suspicious email? Click below to forward"}],
"actions": [{"type": "Action.Submit", "title": "Report Phish", "data": {"action": "report"}}]
}
3. Instruct users to forward suspect emails to [email protected]. Automate analysis using an open‑source tool like PhishingAnalyzer:
git clone https://github.com/cisagov/PhishingAnalyzer cd PhishingAnalyzer python analyzer.py --email suspicious.eml --output report.html
Review reports weekly with the user who reported – thank them, explain what happened, and share what technical controls blocked (or missed) the attack. This turns a failed click into a learning moment without punishment.
- Automated Incident Response for Phishing (When User Clicks)
Despite best controls, clicks happen. Automate containment to prevent compromise.
Step‑by‑step – Isolate endpoint via PowerShell (Windows) + Linux
– Windows (Defender for Endpoint)
Requires admin and MicrosoftGraph PowerShell
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/security/incidents/{incidentId}/containment" -Body '{"comment":"User clicked phishing link"}'
– Linux (iptables isolation)
Assume breach – drop all non‑essential outbound traffic sudo iptables -P OUTPUT DROP sudo iptables -A OUTPUT -p tcp --dport 443 -d 10.0.0.0/8 -j ACCEPT Allow only internal comms sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT DNS but to internal resolver Log all dropped attempts for forensics sudo iptables -A OUTPUT -j LOG --log-prefix "BLOCKED: "
To revert: `sudo iptables -P OUTPUT ACCEPT && sudo iptables -F`
Then force a password reset and revoke MFA sessions via your IdP (Okta/Azure).
7. Metrics That Matter – Beyond Click Rate
Stop measuring phish click percentages. Instead track technical control efficacy.
Step‑by‑step: Build a dashboard using ELK or Splunk
Collect these metrics daily:
- Email gateway block rate (SPF/DKIM fails) – target >99.5%
- MFA challenge success vs. fatigue attacks – log `signInEvents` for `interruption` reason
- Time to report real phish (user reporting to IR) – median <15 minutes
- Patching latency for browsers/email clients – 95% patched within 7 days
Example Splunk query:
index=email sourcetype=dmarc_aggregate p=reject | stats count by domain
If your DMARC reject count is low, attackers are still spoofing you. Fix that before running another phish test.
What Undercode Say
- Key Takeaway 1: Phishing tests reduce click rates by less than 2% against attacks that succeed 30% of the time – they are a waste of resources and often damage trust.
- Key Takeaway 2: Security by design – forced technical controls (DMARC, FIDO2 MFA, automated isolation) – stop the 30% without relying on human perfection.
Analysis: The industry has spent billions on “awareness” while ignoring the hard truth: humans are not the weakest link – the absence of layered, default‑secure systems is. CISOs must shift budget from simulation platforms to email authentication, conditional access, and AI‑driven just‑in‑time coaching. Insurance carriers should stop asking “Do you run phish tests?” and start asking “What is your DMARC reject rate and MFA configuration?” The Oakland 2025 paper gives us the data; now we need the courage to act. Replace fear‑based metrics with control efficacy. Your users will thank you, and your breach rate will finally drop.
Prediction
By 2028, phishing simulations will be considered a liability, not a best practice. Leading organizations will replace them with continuous, privacy‑preserving AI nudges, mandatory phishing‑resistant authentication for all external logins, and real‑time email filtering that blocks 99.9% of lures. Cyber insurance will mandate DMARC reject at p=quarantine or higher, and security culture will be measured by reporting speed, not click rates. The human will become a sensor, not a test subject.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Philvenables This – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


