All Collections
Initial setup
Advanced simulated phishing information
Advanced simulated phishing information
Robert Shough avatar
Written by Robert Shough
Updated over a week ago
cybsafe phish

At CybSafe, we take an intelligent approach to phishing simulations. CybSafe simulated attacks use algorithms to serve automated, but personalised phishing to understand strengths/weaknesses for every person in an organisation

Provided that the phishing functionality is turned on, CybSafe will periodically send phishing emails to individuals registered on the platform. CybSafe administrators can determine how many emails are sent within a given time period.

Tracking simulated phishing emails

CybSafe phishing tracks the "opens" of an email using a unique hidden image pixel to record an open event. This however has some technical limitations:

  • It will vary amongst mail clients and configuration, but if "automatically download external images" is disabled or blocked, then an open event is not captured.

  • Some inbound mail gateways open images automatically to scan the contents. We do implement algorithms to reduce the impact of this where possible.

We use email service SendGrid to track email opens, clicks and bounces. Our simulated phishing emails contain non-copyright brands, with non-offensive content. 

The sender domain will always be but with a spoofed <from> address.

example of cybsafe phishing sender

The tracking url will always contain from SendGrid, where only CybSafe are authorised to use this subdomain. For secure use in an allow list, we recommend to include the subdomain:

CybSafe do not send file attachments in emails.

Users may be encouraged to enter data as part of the phishing simulation. CybSafe will only capture the metadata surrounding the event, at no stage is input data recorded, analysed or retained in any way. Users who click through a phishing email are redirected to a learning page that provides information on the simulated attack and advice on how to avoid similar attacks in the future.

Triage advice

In addition to the allow list of domains/IP addresses, CybSafe emails always contain HTML with the following signature:

<div title="cs-unique-ref:1b54b04f-80fc-47d3-b474-702167740795;">

The HTML shown in BOLD will always be present, so email triage can be automated with an HTML body search for “cs-unique-ref”.

Useful resources

Still have questions?

If you still have questions, you can contact the CybSafe team via We’re on hand to help resolve any further issues!

Did this answer your question?