In the summer of 2023, Congressman Don Bacon received an email from Microsoft telling him to change his password. He did not click the link. He navigated to Microsoft’s portal independently, authenticated through a channel he trusted, and changed his password there. The email looked like phishing to him.

It was not a near miss. It was Microsoft’s real notification of a real breach. About two months later, the FBI confirmed it. The intrusion had originated inside Microsoft’s infrastructure. Bacon’s account had been compromised before the notification arrived.

The cybersecurity industry reads this as a near miss. He got lucky. He instinctively did the right thing.

That is the wrong read. Bacon did not get lucky. He did exactly what twenty years of security-awareness training taught him to do. Do not click unsolicited links. Go around the link. Authenticate independently. Even if the email looks legitimate, even if it claims to come from a vendor you know, even if the tone is urgent.

He followed the training perfectly, and it did not protect him. Bacon said so himself: “The CCP hackers utilized a vulnerability in the Microsoft software, and this was not due to ‘user error.’”

Microsoft’s victim-notification email contained almost every feature security-awareness training teaches workers to treat as a red flag: urgent subject line, numbered action items, multiple links to click, language asking users to secure your account immediately. The reason it looks like phishing is that phishing spent twenty years cloning exactly this template. The mimicry was so successful that the original became suspect. Microsoft’s notification design did not evolve. The same template phishing had cloned a million times remained the official channel for telling real victims about real breaches.

The Cyber Safety Review Board’s report on the incident notes, almost as an aside, that “some victims told the FBI that they viewed authenticator application notifications as possible spam and disregarded them.” These were not undertrained employees failing a security quiz. They were people responding rationally to a notification design that had become indistinguishable from the threat it was warning about.

By the time the FBI confirmed Bacon’s breach, a five-agency interagency response – State, Commerce, CISA, the Justice Department, and the FBI – was already in operation to notify identified account holders because Microsoft’s automated notifications were not reliably reaching them. The federal government deployed a multi-agency task to do what the vendor’s notification system was supposed to do on its own.

The reflex move is to find a training fix. Train people to recognize legitimate vendor notifications. Give them a way to tell the real ones from the fakes. But what is the difference? The CSRB found none that a trained user could reliably identify. Training cannot teach a distinction the system has erased.

The right lesson is about who erased it.

For two decades, the security industry has treated phishing as a workforce problem. Train them harder. Train them more often. Run simulated phishing tests. This framing has been extraordinarily convenient for vendors, because it locates the failure in the employee and absolves the design team. Notifications still ask users to click links because clicking links is the easiest way to prompt action, and the cost of that ease falls on the workforce. Notifications are easy to clone because they were never designed to resist cloning.

Microsoft sends notifications that look like phishing because Microsoft has not been required to invest in notifications that look like anything else. The CSRB also found that Microsoft could not determine how the signing key the attackers used was obtained. The root cause of the breach remains unknown to the company that was breached.

If you run security-awareness training—through a vendor, internally, any format—this case belongs in it. Not as a story about a congressman who got lucky. As a story about what your training is actually up against.

Your training is correctly teaching your workforce to be skeptical of unsolicited security notifications. That skepticism is being deployed against a system the vendors have not updated to be distinguishable from the threats it warns about. The training is doing its job. The system is not.

Don Bacon did everything the training asked. He still got breached. The training was not the problem. The design was. And the cost of not solving it keeps falling on the people who had nothing to do with creating it.