my entire angle here was simply:
"if we're not phshing people with what they NORMALLY get hit by, we're doing them a disservice and training them to freak out on false positives, or whatever bogus nonsense got dreamed up by someone who doesnt actually deal with phishing IR all day. we need to be as close to real attackers as possible"