We did a similar phishing attempt in my previous company, which had a bit more technical background than gitlab.

From the 200 people, only one gave up his credentials. from marketing, as expected. We don't let them near anything important anyway.