Phish tests need to be fair to people who actually understand something about security.
"Opening an email" is not actually an issue (spearphishers that sit on drive-by 0-days in current browsers or email programs are not a threat model that most orgs can possibly defend against). Opening attachements is hard to measure and again needs context: What kind of software and sandbox was the attachement opened with? Attackers using some ancient forever-day word processor exploit is realistic. Attackers sitting on fully patched VM outbreaks is unrealistic. If the used VM has unimpeded network access, then the attacker needs no VM outbreak. If the target opens a phish link in a current browser, but then refuses to enter valid credentials (because user is wary), then the user can be argued to have passed the phish test.
If you make failure fireable, then you need to demonstrate that the victim was actually successfully phished.
If failure requires remedial training, then you can afford a high false positive rate: Clueless victims learn not to click on links, and sophisticated "victims" get to talk with a security person about why their action was dangerous or harmless, and in accordance or in violation of policy.
This definitely needs to be considered. I open WSL and use curl on suspicious looking email links. I've been logged as doing so before. I'd hate for that log to actually go somewhere significant.
It might be worth considering carefully how safe the practice of opening essentially random email links might be. Are you opening the links with a full suite of forensic measures in place, or are you dropping curl $URL into your terminal on your workstation? It looks like WSL isn't exactly a sandbox. It does seem to already be used by some malware: https://research.checkpoint.com/beware-bashware-new-method-m...
In a world with drive-by exploits and where opening a link leaks information, it perhaps could be considered unsafe to open essentially random links from emails. I've definitely worked with developers who seem to believe that curl is magical and inures them against every possible attack.
Curiosity is a wonderful thing! It's just sometimes it can be dangerous to a person and to the people around them. It might not be a bad thing for people to learn a smidge of caution.
One of the best policies I ever witnessed: There was a second guest network with internet and nothing else for guests/consultants and facebook/twitter/porn (the company just paid for internet twice). Employees had a second crappy machine connected to the isolated guest network for this purpose.
"Opening an email" is not actually an issue (spearphishers that sit on drive-by 0-days in current browsers or email programs are not a threat model that most orgs can possibly defend against). Opening attachements is hard to measure and again needs context: What kind of software and sandbox was the attachement opened with? Attackers using some ancient forever-day word processor exploit is realistic. Attackers sitting on fully patched VM outbreaks is unrealistic. If the used VM has unimpeded network access, then the attacker needs no VM outbreak. If the target opens a phish link in a current browser, but then refuses to enter valid credentials (because user is wary), then the user can be argued to have passed the phish test.
If you make failure fireable, then you need to demonstrate that the victim was actually successfully phished.
If failure requires remedial training, then you can afford a high false positive rate: Clueless victims learn not to click on links, and sophisticated "victims" get to talk with a security person about why their action was dangerous or harmless, and in accordance or in violation of policy.