The email you clicked was a controlled training exercise sent by Highway's security team. No credentials were captured and no systems were compromised — but in the wild, this is exactly how it happens.
This is a learning moment, not a write-up. Everyone clicks something eventually — that's why we run these. Spend a few minutes below and you'll be harder to fool next time.
Hi team,
The new co-branded MBS Highway × ListReports flyer for the May Monthly Housing Report is ready for your sign-off. Leadership wants this approved and out the door by end of day Friday so Loan Originators and Agents can start sharing it over the weekend.
I've uploaded the latest draft (v4-FINAL) to our shared review folder. Please open it, leave inline comments, and re-authenticate with your Highway portal credentials so the system can log your approval against your name4.
👉 [Open Co-Marketing Review — highway-portal.docs-share.co3]
A few quick notes:
If you have any issue's6 accessing the document, reply to this email and I'll resend the link.
Thanks for the quick turnaround!
Our real domain is highway.ai. Attackers register cheap lookalikes — extra hyphens, different TLDs (.co instead of .ai), or character swaps (rn vs m). Always inspect the part after the @ symbol, not just the display name.
Misspelled in both the from-line and the signature. Internal teams configure their display names once and reuse them — typos in a recurring sender name are unusual. Same goes for "Janelle R." with no last name and no phone.
Hover before you click. Highway document review happens on highway.ai or www2.highway.ai — never a generic "docs-share" subdomain. The trick is putting "highway-portal" as a subdomain of someone else's site, which is what the dot-share-dot-co tail tells you.
This is the big one. Legitimate doc shares (Google Drive, SharePoint, internal review tools) use your existing SSO session — they don't ask you to re-type your password to "log your approval." Any unexpected credential prompt should make you stop.
"ACTION REQUIRED," "by end of day Friday," "leadership wants this." Urgency is the phisher's favorite lever — it short-circuits the part of your brain that would otherwise check the sender domain. Real internal deadlines come with context, not pressure.
"Verifie," "quater," "issue's" (rogue apostrophe), "confidental." Marketing Operations sends polished copy for a living — they don't ship four typos in a six-paragraph email. Polished phishes exist, but sloppy ones are easy wins if you're paying attention.
No last name, no phone number, no Slack handle, no team alias. Real Highway employees sign with full names and contact info. When a sender is hard to verify out-of-band, that's the point — they don't want you calling to check.
Mass-blast phishes can't personalize. Internal marketing notes to specific reviewers would address you by name or team. "Hi team" sent to your individual inbox — without you being on a known distribution list — is a small but real tell.
Forward suspected phishing emails to security@highway.ai or use the "Report Phish" button in your mail client. Reporting fast is the single best thing you can do — it lets us protect everyone else before they click.