[dvtrn]

Should it be expunged though? They've indicated they were aware it was quite clearly a phishing attempt, but they still accessed the link. If the test was to see if a user would try accessing the link, then this user failed the test. Why should that be expunged?

Curiosity shouldn't preclude security, and intent shouldn't preclude policy if the operator operated knowingly.

This isn't to attack maxk42, but to engage the question head on.

[Dylan16807]

The goal is "don't be phished", right? Measuring http requests is a proxy for that, and not a completely accurate one.

[closeparen]

> intent shouldn't preclude policy

Oh boy, I hope I never work in this kind of organization.

[dvtrn]

I was hoping implicit in this statement, along with other contexts offered that this would have been read with "information security" in mind, on me to communicate that better next time.