Ever get an email that feels a bit… off, but can’t quite put your finger on why? Maybe it’s an urgent message from your boss, or your boss’s boss. The layout is familiar, the language is on point, and the sender’s name checks out.

What Did We Do, and Why?

In this exercise, we adopted an insider threat scenario, testing how resilient we are to sophisticated phishing attacks that appear to come from within.

We set the stage for a scenario that would make even seasoned IT pros sweat: a campaign designed to look like it came from trusted folks inside the company.

Here’s the play-by-play:

GoPhish campaign setup

  • Fake Jira Notification: The email looked like a legit notification from one of our Jira boards, a tool most of us use regularly.
  • Trustworthy Names: We upped the ante, making sure the sender looked like someone with authority. (Because when your boss emails you, you click… right?)
  • Tricky Links: Clicking the link took you to a “login page” that looked just like Okta’s (our real login portal). The catch? The route was all wrong for our actual setup.
  • Doppelganger Domains: Instead of the real deal, we used “punycode” domains like atlassían.net and oktà.com, subtle character swaps that only the eagle-eyed would catch.

Red Flags: What Gave Us Away?

Not to toot our own horn, but this is exactly the kind of phishing technique real attackers use too. Some might say this particular simulation was a bit far-fetched, but there were clear signs something wasn’t right:

1. The Odd Okta Login (When You Didn’t Need It)

If you clicked a Jira notification and were suddenly asked to log in to Okta… pause. In our environment, Jira doesn’t use Okta. You should never need to log in to Okta just to see a Jira issue.

Lesson: If a login prompt feels out of place, it probably is.

2. Link Sleight of Hand

Before you click, hover. The “View issue” link wasn’t taking you to the real Jira site or Atlassian. Sure, the domain name looked close, but close only counts in horseshoes and hand grenades.

Lesson: If a link looks even a pixel off, don’t click. Check, verify, and when in doubt, visit the real site by typing it yourself (which some people did, kudos to them).

Phishing email with suspicious link highlighted

Your Security Toolkit: Be a Human Firewall

How do you keep your wits about you when every email could potentially be a digital Trojan horse? Here’s your cheat sheet:

  • Question Weird Workflows: Login prompts where there shouldn’t be any? That’s a red flag waving just for you.
  • Hover, Don’t Click: Curious about where that “helpful” button actually leads? Use a tool like urlscan.io or browserling to find out.
  • Be Direct: Unsure about an email? Go straight to the service using your browser. Don’t trust the shortcut.
  • Ask for Backup: If something smells phishy, ping IT or Security. There’s no such thing as a silly question when your data’s at stake.

Final Thoughts: High Fives All Around (Even if You Got Caught)

If you flagged the phishing attempt, bravo: that’s the vigilance we love to see.

If you fell for it, don’t sweat it. No one’s getting detention. The purpose of these exercises isn’t to play “gotcha,” but to help everyone sharpen their sixth sense for security, together.

Remember: security isn’t about never making mistakes, but about learning from them and making our digital home safer for all.

Closing the Loop: A Smarter Way to Check Suspicious Emails

After reviewing the results of this phishing campaign, one thing was clear: even a well-trained team can be caught off guard by a convincing email. And not everyone has the time (or patience) to analyse suspicious messages line by line.

So, I built a solution.

Introducing our internal Suspicious Email Analyzer, powered by n8n, VirusTotal, URLScan, and GenAI.

Here’s what it does:

  • Parses .eml files and extracts key artifacts: sender server IP, sender domain/email address, full headers, any suspicious URLs embedded in the HTML body, and any Base64-encoded strings
  • Runs checks on these artifacts using VirusTotal and URLscan.io
  • Combines those results with an analysis of the email headers and sends everything to the LLM node to produce a report, which is then delivered to the end user’s inbox

Suspicious email analyzer n8n workflow

To put it to the test, I submitted an actual email from the phishing campaign above for analysis. Let’s see how it did:

AI email analysis report output