DEV Community

Oscar Six Security
Oscar Six Security

Posted on • Originally published at blog.oscarsixsecurityllc.com

Phishing Forwards: Why Protocol Beats Training

#phishingresponseprotocol #incidentcontainment #employeesecuritybehavior #accountcompromise

It happened two weeks after phishing awareness training wrapped up.

A well-meaning employee received a suspicious email, wanted to do the right thing, and forwarded it company-wide with a simple question: "Is this legit?"

Four accounts were compromised before anyone could answer.

This scenario — pulled from a real discussion circulating in IT and MSP communities on Reddit — isn't a story about a bad employee or even a failed training program. It's a story about a missing protocol. And if your organization treats "send suspicious emails to IT" as an informal suggestion rather than a documented, enforced procedure, you're one curious employee away from the same outcome.

Training Creates Awareness. Protocol Creates Containment.

Phishing awareness training has real value. Employees who recognize red flags — urgent language, mismatched sender domains, unexpected attachments — are less likely to click. But awareness doesn't tell an employee what to do next. And that gap is where incidents happen.

When someone isn't sure if an email is malicious, their instinct is often to crowdsource the answer. Forwarding to a coworker. Asking in a group chat. Or, in this case, blasting it company-wide. Every forward is another potential click. Every click is another potential compromise.

This is compounded by how fast modern phishing payloads move. According to The Hacker News, Microsoft recently disclosed a ClickFix campaign that manipulates even technically aware users into executing malicious commands through Windows Terminal — a technique specifically engineered to bypass the skepticism that training is supposed to build. When the lure is sophisticated enough to fool IT professionals, the answer isn't more training. It's a faster, clearer response procedure.

The MFA Problem Nobody Wants to Talk About

Many small businesses believe multi-factor authentication is their safety net. If an employee clicks, at least the attacker can't log in without the second factor. That assumption is increasingly dangerous.

The recent Europol-assisted takedown of Tycoon 2FA — a phishing-as-a-service platform explicitly built to bypass MFA — is a direct challenge to that belief. Tycoon 2FA was designed to intercept authentication tokens in real time, rendering standard MFA protections ineffective. And it was available to low-skill threat actors as a subscription service. The industrialization of phishing means the tools outpace the training, almost by definition.

We've written before about why phishing awareness training fails as a standalone defense. The short version: training is periodic, phishing is continuous. Protocol is what bridges that gap.

What Happens After the Click Actually Matters

The Reddit scenario involved credential compromise. That's painful, but it's recoverable. The downstream risk is worse.

According to The Hacker News, the VOID#GEIST malware campaign uses obfuscated batch scripts delivered through phishing-style attack chains to deploy multiple remote access trojans simultaneously — including XWorm, AsyncRAT, and Xeno RAT. A single employee interaction doesn't just expose credentials. It can hand an attacker persistent, remote control over multiple systems before your IT team finishes their morning coffee.

This is why incident containment speed matters as much as prevention. The faster a suspicious email is reported through a defined channel — and the faster affected accounts are isolated — the smaller the blast radius.

What a Real Phishing Response Protocol Looks Like

Here's what small businesses and their MSPs should have documented, tested, and communicated before the next suspicious email lands:

Before the incident:

  • Define a single reporting mechanism (a dedicated email alias, a ticketing system button, or a reporting plugin in your email client). Make it easier to report correctly than to forward casually.
  • Document what employees should not do: no forwarding, no opening attachments to verify, no clicking links to check where they go.
  • Include the protocol in onboarding and post it somewhere visible. A laminated card at a desk beats a PDF buried in a shared drive.

During the incident:

  • Establish a response owner. Someone specific, not "IT" in the abstract, is responsible for triaging reported emails within a defined time window.
  • Define isolation steps for potentially compromised accounts: password reset, session termination, MFA re-enrollment, and temporary access restriction.
  • Communicate to staff that a suspicious email has been identified and is being handled — without forwarding the original.

After the incident:

  • Document what happened, what was affected, and what was done. This isn't just good practice — it's required for CMMC Level 1 compliance and supports Ohio SB 220 safe harbor documentation if your business operates in Ohio.
  • Review whether the protocol worked. If four accounts got compromised, something in the chain failed. Find it.
  • Update training content to reflect the specific lure that succeeded. Generic phishing examples age quickly.

The Access Control Connection

CMMC Level 1 requires that access to federal contract information is limited to authorized users and controlled. A phishing incident that results in compromised credentials is, by definition, an access control failure — and without documented incident response procedures, it's also a compliance gap. The same logic applies to Ohio's SB 220 safe harbor: protection requires not just having security tools, but demonstrating that you follow a written security program.

Protocol documentation isn't bureaucracy. It's your paper trail when things go wrong, and your defense when an auditor asks what you did about it.

For MSPs managing multiple clients, this is worth reviewing in the context of your own internal posture as well — our MSP internal security checklist covers how to apply these standards to your own house, not just your clients'.

Take Action

A documented phishing response protocol is only as strong as your visibility into what's already exposed in your environment. Attackers don't just use phishing — they use it to find the open doors your existing tools missed.

Oscar Six Security's Radar gives small businesses and MSPs affordable, continuous vulnerability scanning at $99 per scan — so you know what's exposed before an attacker does.

See how Radar works →

Focus Forward. We've Got Your Six.

This article was originally published on Oscar Six Security Blog.

Top comments (0)