Inspired by this post, I just created a phishing test for my staff with a malicious URL in a “report this as spam” link, complete with a required training for those who click the link.