Our CEO submitted his password to our fake DocuSign page at 2:48pm on a Tuesday, exactly 108 seconds after I hit send. He was the first of 247 employees to do it, and over the next 22 minutes, thirteen of the fourteen people on our leadership team would follow. Engineering and IT — the departments that had complained loudest about mandatory training — barely moved at all.
This was an authorized internal red-team exercise. I run the security function. The board had approved the test six weeks earlier as part of the same awareness program we’d been running for half a year. What I’m describing below is the post-mortem we delivered the next morning, with the click map, the timeline, and the three controls we shipped that week. None of those controls was more training.
What we’d done before the test
For six months we ran the textbook program: weekly modules, mandatory completion, quarterly simulated phish drills, leadership-attended town halls. Pre-program, our baseline click rate on simulated phishes was 32% — slightly worse than the KnowBe4 global baseline of 33.1% across 14.5 million users in the 2025 Phishing by Industry Benchmarking Report. By month six we were trending toward the single digits the report cites for mature programs, and the board had been briefed on the curve.
The brief for this test was deliberately tight: one credible, tailored phish. No volume play. Sent to all 247 employees on a single Tuesday at 2:47pm — the middle of our board-prep week, when leadership inboxes are at peak load. Measure who clicks, when, how fast.
Why we picked DocuSign
DocuSign-themed lures weren’t a creative choice. They were the obvious one. In a 2025 StrongestLayer analysis of over 2,000 email attacks that bypassed enterprise secure-email gateways, DocuSign was the single most impersonated brand at 13.8%. Hoxhunt’s 2026 telemetry puts Microsoft, DocuSign, and internal HR as the top three most-impersonated entities globally. Cisco Talos’s analysis of PDF-payload phishing between May and June 2025 named Microsoft and DocuSign the most impersonated brands in callback phishing as well.
The reason these brands work isn’t that attackers love e-signature platforms. It’s that executives sign things constantly, the signing flow always involves clicking through to an external site, and the legitimate emails are themselves training material for the fake ones. Every real DocuSign teaches the recipient what a fake one should look like.
Our pretext: a signature request impersonating a senior partner at our outside counsel firm, naming a live commercial matter we had publicly disclosed. We sent it from a lookalike domain, docu-sign-secure.com, with a subject referencing the matter and a one-line note about the partner traveling the next day.
Four discoverable tells. Any single one of them would have stopped a careful reader. Our CEO is a careful reader. He just wasn’t reading carefully at 2:48pm on a Tuesday in the middle of board-prep week.
The click map
This is the slide that ended up on the projector the next morning, and the one that changed how our board talks about phishing risk. Click rate climbed monotonically with seniority and dropped monotonically with technical proximity to the email itself.
The leadership-vs-engineering inversion isn’t unusual when you look at the literature. KnowBe4’s industry benchmarking puts operations teams at 12% baseline susceptibility — the lowest department in their dataset — while marketing sits at 41% because their job involves clicking links from outside contacts. Engineering, when measured separately, tracks operations more closely than it tracks the company average.
What’s specifically interesting about senior staff isn’t their click rate as a category — research finds executives aren’t intrinsically more susceptible than other office workers — but their exposure. 2024 data referenced in multiple 2025 benchmarking studies put C-suite executives at the receiving end of targeted spear-phishing attempts in 62% of cases, with senior leaders 23% more likely to fall for AI-personalized attacks than other staff. They’re not bad readers. They’re high-value targets, hit with bespoke lures, while reading on phones between meetings.
The 134-second cascade
The CEO clicked at T+1:48. Finance started clicking at T+8. By T+22, thirteen of fourteen leadership members had submitted credentials. IT noticed the first anomaly — impossible-travel alert on an executive account — at T+2:14, killed the pretext domain at the firewall, and forced a session reset across leadership.
That’s 134 seconds between first send and first credential capture, and 2 hours 14 minutes between first send and detection. For context, the 2025 Verizon Data Breach Investigations Report puts the median time-to-report for a real phishing email at 28 minutes — measured from first click to first user-reported alert. Our 134-second time-to-capture is meaningless on its own; what matters is the gap between capture and any defensive response.
In a real attack on a session token captured this way, an adversary with valid M365 credentials would have had access to inboxes, OneDrive, SharePoint, and any federated SaaS app the user could reach. Two hours of dwell time is enough to set up persistence, exfiltrate selected emails, and pivot. We had nothing in place that would have stopped that beyond IT’s manual eyeballing of an impossible-travel alert.
Why executives click more, structurally
The temptation after a result like this is to schedule another round of training, this time mandatory for leadership. We didn’t, because nothing about why our CEO clicked was about literacy. Four structural reasons explain why senior staff click more, not less, no matter how much awareness training they’ve completed:
Volume. Senior staff receive four-to-eight times more email than individual contributors. Inbox triage at that volume runs on pattern-matching against domain reputation and subject-line plausibility, not on close reading. A signature request from a familiar counterparty fits the pattern.
Pressure. Leaders make a fast decision every few minutes, all day. Phishing exploits the decide-and-move-on mode they operate in. The decision to click “review document” feels structurally identical to twenty other yes/no decisions they’ve already made that morning.
Privilege. They’re trained, organizationally, to clear blockers — not to second-guess requests that mention urgency from a known counterparty. “Partner signs tomorrow” reads as a normal scheduling note, not an alarm.
Assumption. They trust that filtering, the SOC, and the help desk have already vetted anything that reaches their inbox. If it cleared the spam filter, somebody upstream must have looked at it. Our SOC had looked at it. We were the SOC.
None of those four levers is moved by another training module. They’re properties of the job, not the person. Phishing isn’t a literacy problem at the top. It’s a workflow problem.
What shipped the week after
We delivered three controls inside seven days. None of them was more training.
The first control is the only one that genuinely matters in isolation. FIDO2 keys, properly enrolled, are resistant to the credential-capture flow our pretext used. The phished password is useless without the hardware token bound to that origin. If we’d had this in place on the day of the test, the CEO could have clicked and submitted with full enthusiasm and nothing would have happened. He still would have tried — and a real attacker would still have learned everything about him from the targeting reconnaissance — but the credential would not have been usable. This is the Adversary-in-the-Middle resistance that’s increasingly mentioned as the only category of MFA still robust against modern phishing kits.
The second control is about reshaping the workflow so that the legitimate version of the action — “sign this thing” — doesn’t look like the phishing version. If signature requests always come through an internal queue and never as inbound external email, an external email asking for a signature is automatically suspicious regardless of how convincing it looks.
The third control is acceptance that prevention will fail and that detection is the production system, not the backup. Tighter session-anomaly thresholds on privileged accounts gave us a real shot at catching the second instance of this in minutes, not hours.
Frequently asked questions
Was this authorized? Did you get permission?
Yes. The board approved the test six weeks in advance. The CEO knew there would be tests; he didn’t know when, what the pretext would be, or what brand we’d impersonate. That’s standard for any internal red-team scope and the only configuration that produces honest results.
Doesn’t naming the CEO violate trust?
The CEO authored the all-hands note the next morning naming himself. He understood that the value of the exercise to the organization came from being honest about the outcome, including his role in it. We anonymized everything for external write-ups; internally, accountability ran top-down.
Should we just stop doing awareness training?
No. Training reduces click rates substantially — KnowBe4’s 2025 benchmarking shows an 86% reduction after twelve months of structured training. The point isn’t that training is worthless; it’s that training has a hard ceiling, that ceiling is structural, and the residual click rate from senior staff is high enough that the only engineering response is to make individual clicks harmless. Training plus phishing-resistant MFA is the floor, not training alone.
How did the all-hands go the next morning?
Quiet. The CEO led it. He showed the click map, named himself, and explained what we were shipping. There was no scolding of departments who clicked. The framing was: this is a workflow problem we’re going to engineer our way out of, not a literacy problem we’re going to retrain our way out of. Engagement on the new controls was higher than on any prior security initiative we’d run.
The verdict
Awareness training will plateau somewhere between 4% and 8% residual click rate even when it’s done well. That residual is concentrated in the most senior, highest-volume, most-targeted accounts in the organization. The accounts most likely to click are the accounts whose credentials are worth the most. No amount of additional training closes that gap, because the gap is a property of how senior leaders read email, not how well they’ve been taught to spot a phish.
Stop training people to spot the bad email. Start designing systems where clicking the bad email doesn’t matter.
