[alanfranz]

Clicking the link shouldn't be enough to consider a target to have fallen to fishing. Sometimes, if a get a fishy email, I open it in a private tab within a browser I don't use, or even within a throwaway VM (if I feel something is REALLY strange).

[geoduck14]

Clicking a link is all it takes to download malicious code and send stuff to an attacker. Clicking a link is enough to consider a target to have failed.

[technion]

It shouldn't be though. If your threat vector includes teams with something like Chrome 0day, you've got bigger problems than employees clicking links. Malicious email in the wild is either a link to a phishing page, or a link to a page offering an executable.

If I paste a URL urlscan.io and have a look at it, I can assess better whether it might be safe. Being told "url got hit, you compromised us" is really silly in my view.

[alanfranz]

^ this.

Of course "click to fail" is silly. And, in some experimentations I did in the past, it's usually easy, in a large organization, to forge a 100% legit url (like somefileserver.organization.com/some_url_that_can_be_easily_edited_by_anonymous_users) and a 100% legit sender (because of some open relay that passes DKIM and/or SPF). So you just need an access to a minimal-security internal network (easily obtainable through spearphishing or malicious employees) to perform a good phish.

The obvious attack vector is to insert some JS in the webpage that performs a redirection to an external server holding malicious data. But the user would fail IFF they entered the data there, not just by clicking.

[cmeacham98]

This is, uh, obviously not true.

Feel free to provide me with a link that will "send stuff to an attacker" with only me clicking it and no other action.

[smabie]

No way, that'd be a 0-day and you wouldn't want to burn one doing phishing.

[jimsparkman]

The URLs include some unique identifier that’s traceable to you. As far as my company is concerned, merely clicking it is grounds for security training.

Edit: I guess the argument is any page could contain an RCE.

[alanfranz]

Wow. If a single click is enough for a RCE, you've got bigger problems, IMHO. Basically, each and every website can hack into your infrastructure.

I'm not sure whether there are policy recommendations about phishing, but as far as I'm concerned a target would have failed if they entered private data somewhere, or opened downloaded documents or executables.