Guerrilla Security Awareness Done Right; Hacking Your CISO's Phishing Simulation (WHY2025)

Ever received a phishing simulation so painfully obvious it offended your intelligence? This talk is for you. Join us as we turn the tables on corporate security theater and show how you can phish back, with humor, skill, and plausible deniability. Learn how to fingerprint your company’s phishing campaigns, spoof the spoofers, and maybe even get your CISO to click a link labeled “Definitely Not Malware.exe.” This talk is part satire, part technical walkthrough, and all rebellion. Corporate phishing simulations are broken. You know it, I know it. And yet, every quarter, some overfunded awareness campaign lands in your inbox with all the subtlety of a Nigerian prince. The goal? To test whether you're “cyber aware.” The result? A war of attrition between InfoSec and the click-happy masses. But what if we made visible what these simulations actually prove? In this talk, we explore how to recognize and hack your organization's phishing simulations. Without getting fired (probably, no guarantees). From fingerprinting CISO-run campaigns using SPF records, consistent sender patterns and timing, to launching your own “counter-phishing” emails that prove how absurd the entire exercise is. We’ll walk through real-world tactics for flipping the script: phishing the phishers, automating chaos, and pushing back against checkbox security culture. All with a healthy dose of satire, social engineering, and plausible deniability. If you’ve ever wanted to troll your security team for a good cause, this one’s for you. Just don’t click the link in the description. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/QX3G3G/