I am not saying your story is fake dvirsky if that's you get from my posts. It's just has all the hallmarks of something I trained people around me to notice.
I didn't think this is what you implied, but having seen the actual email, I also think the security bad practice was on the sender side, and this wasn't a phishing attempt.