Two weeks after completing phishing awareness training, an employee at a small business received a suspicious email. Instead of reporting it through the proper channel, they forwarded it company-wide with the subject line: "Is this legit?" Four accounts were compromised before the end of the day.
This isn't a horror story. It's a Tuesday.
Phishing awareness training has become the default answer to human-layer security risk. Annual modules, simulated phishing campaigns, certificates of completion — organizations check the box and move on. But the box was never designed to stop a breach on its own. And right now, the threat landscape is evolving faster than any training curriculum can keep up with.
The Training Gap Is Getting Wider, Not Smaller
Modern phishing attacks aren't just convincing emails anymore. According to The Hacker News, the Starkiller phishing suite uses adversary-in-the-middle (AitM) reverse proxies to intercept authentication sessions and bypass multi-factor authentication entirely. That means an employee who does everything right — recognizes the suspicious link, uses MFA — can still be compromised. The control they were trained to rely on has been engineered around.
It gets more targeted. Microsoft has issued an active warning about phishing campaigns abusing OAuth URL redirection to deliver malware to government and public-sector targets. These attacks are specifically designed to defeat the browser and email defenses that awareness training teaches employees to trust. If your organization touches federal contracts or CUI — even tangentially — this is a direct threat to your CMMC posture.
And it's not just sophisticated nation-state actors. Huntress recently identified a campaign using fake IT support spam followed by phone calls — a two-stage social engineering sequence — that successfully compromised employees across five SMB partner organizations. These weren't untrained employees. The attack was simply designed to feel like a legitimate helpdesk interaction. Training teaches people to spot phishing emails. It doesn't teach them to hang up on a convincing phone call from someone claiming to be IT.
APT-linked groups are running the same playbook at scale. Silver Dragon, linked to APT41, continues to gain initial access through phishing emails with malicious attachments — a delivery method that awareness training is specifically designed to counter, yet continues to succeed against targeted organizations across government sectors in the EU and Southeast Asia.
Training Is an Input. You Also Need an Output Layer.
Here's the core problem: phishing awareness training is designed to change knowledge. It is not designed to enforce behavior, document escalation paths, or contain damage when the inevitable mistake happens. Those are process and technical controls — and without them, you don't have a security program. You have a curriculum.
A repeatable defense system requires three things training alone cannot provide:
1. A Documented Escalation Path (That Everyone Has Actually Used)
When an employee receives a suspicious email, what do they do? If the answer is "report it to IT" but there's no defined mailbox, no ticket workflow, and no acknowledgment process, that answer will fail under pressure. Employees default to the path of least resistance — which is often forwarding the email or clicking to verify.
Document the path. Make it a single step. Test it quarterly, not just during simulated phishing campaigns. As we covered in our guide to preventing employee privilege escalation and access control, the human layer and the technical layer have to be designed together — one without the other creates exploitable gaps.
2. Privilege Controls That Limit Blast Radius
The company-wide forward scenario at the top of this post happened because one employee had the ability to email everyone in the organization with a single click. That's a privilege control failure, not a training failure.
Review who can send to distribution lists. Restrict forwarding rules in Microsoft 365. Limit what a compromised account can reach. These controls don't require a large security budget — they require intentional configuration. Our post on Microsoft 365 breach prevention for small businesses walks through several of these settings in practical terms.
3. A Post-Incident Review Process (Not a Blame Session)
Every phishing incident — whether it results in a compromise or just a near-miss — is data. What lure was used? What made it convincing? Which control failed first? Did the employee report it, and if not, why?
Without a structured post-incident review, the same attack pattern will work again in six months. With one, you start building institutional memory that no training module can replicate.
For organizations pursuing Ohio SB 220 safe harbor protection or working toward CMMC Level 1 compliance, documented incident response processes aren't optional — they're evidence of a functioning security program. See our CMMC Level 1 compliance guide for small businesses for what reviewers actually look for.
What a Repeatable Defense System Actually Looks Like
You don't need a SOC or a six-figure security budget. You need:
- A single reporting mechanism employees can use in under 30 seconds
- Email and forwarding restrictions that limit what a compromised account can touch
- A written escalation policy that defines who responds, in what timeframe, and with what authority
- A monthly or quarterly review of reported incidents, near-misses, and simulated phishing results
- Continuous visibility into your environment so you know when something is wrong before an employee tells you
That last point matters more than most organizations realize. Phishing is usually the entry point — not the damage. The damage happens in the hours and days after initial access, when attackers move laterally, escalate privileges, and exfiltrate data. Knowing your current vulnerability exposure is what gives you the ability to respond before that window closes.
Take Action
Phishing training tells your employees what to look for. A defense system tells you what's already been missed.
Oscar Six Security's Radar gives small businesses and government contractors continuous vulnerability visibility for $99 per scan — so you know where your exposure is before an attacker does. Whether you're building toward CMMC compliance, pursuing Ohio SB 220 safe harbor, or just trying to make sure one forwarded email doesn't take down four accounts, Radar gives you the enforcement layer that training was never designed to be.
See how Radar fits your security program →
Focus Forward. We've Got Your Six.
This article was originally published on Oscar Six Security Blog.
Top comments (0)