[closeparen]

The only way to pass the phishing tests at my employer is to never click links in email. But then we also have a number of official systems sending emails with links in them (bug tracking, code review, Zoom invites, HR portal, etc).

The only way this kind of policy makes sense is if you have to actually give the phishing site some kind of credential in order to fail, vs. merely opening on it.

If someone has a Chrome zero-day, we're done anyway. Just post it on HN.

[anitil]

This is my major concern. Heaps of legitimate companies send emails with links to things like 'http://dh380.<third party server>.com'. We're being trained to accept this sort of silliness

[closeparen]

I don't think it's realistic to live in constant fear of browser sandbox escapes, or to consider visiting an arbitrary URL "silliness." If your threat model includes people willing to burn Chrome 0-days on you, you need an air gap.

The much more relevant battle is preventing credential theft, which you can solve completely at the technical level with U2F. And if you can't, user education on "check the URL before typing your password" is a little more realistic than "don't open links from email ever."

[anitil]

While I agree with you, I'm far less concerned for my family/friends/colleagues about a sandbox escape compared to accidentally putting information in to a malicious site

[closeparen]

Yes, and "consider the URL and how you got there before typing in your password or credit card" is a lot more realistic than "don't click links." Still, clicking the link fails the phishing test all by itself.