Over the past years I've noticed a growing trend with enterprise email filtering solutions, they have become very good at filtering out spam and phishing attacks.  In fact, I would dare say they are becoming too good, it is now standard behavior for employees to go into their junk email boxes or spam quarantines several times a week to find and retrieve legitimate email.  We have become so focused on filtering out bad email that we are beginning to filter out good email to, and as a result, people are changing their behaviors and expect to find legitimate emails in their spam boxes. If you are running an active phishing campaigns within your organization, keep this changing behavior in mind.  Instead of just sending phishing emails to peoples' Inbox, why not  have your email filters catch them on purpose, and put those phishing tests in employees junk or spam quarantine folders?  This way you reinforce the behavior that people need to be careful of any email they read, regardless where the email is found. Just ask the folks at RSA :)