![](/static/66c60d9f/assets/icons/icon-96x96.png)
![](https://lemmy.world/pictrs/image/0943eca5-c4c2-4d65-acc2-7e220598f99e.png)
When these tests are conducted are they typically sent from an email with a non-company domain? I ask because a few months ago my partner received a test which she failed because it was sent from an email under her company’s normal domain name. I’m not in IT but I am in software dev and I thought this was pretty unreasonable, since in that scenario (AFAIK) either the company fucked up their email security or the attacker has control over the Exchange server in which case all bets are off anyway.
Do you mean something like “Legitimate Company <hacker@malware.net>”? In this case the company domain was in the actual sender address and not just the display name. Anyhow, ty for the insight!