I'm certain that someday I'm going to be dinged on a really shallow kind of work security test because I decided to investigate a link into a sandbox/honeypot environment.

These phish testing companies always stick a header (X-PHISH-TEST or some such) on the email so the email server can white-list -- easy to just Outlook blackhole filter anything with that header after you've seen one test.

What stops an attacker from abusing the same header?

It could be kinda-secure if the header had to have a payload which matched a certain value pre-approved for a time-period. However an insider threat could see the test going on and then launch their own campaign during the validity window.