All Collections
Initial setup
Explainer: Allowlisting, tracking and triaging in PHISH
Explainer: Allowlisting, tracking and triaging in PHISH

Understand how to allowlist, track and triage CybSafe phishing emails

Robert Shough avatar
Written by Robert Shough
Updated yesterday

Allowlisting simulated phishing emails

To make sure our simulated phishing emails reach your users, you need to arrange for the following IP address and domain to be allowlisted in your mail servers (you may need your IT department to enable this):

IP / / Simulated Phishing attacks

If you are using a mail filter, both your email solution and inbound gateway (Filter) needs to be allowlisted.

For more information about allowlisting, click here.

Tracking simulated phishing emails

CybSafe phishing tracks the "opens" of an email using a unique hidden image pixel to record an open event. This however has some technical limitations:

  • It will vary amongst mail clients and configuration, but if "automatically download external images" is disabled or blocked, then an open event is not captured.

  • Some inbound mail gateways open images automatically to scan the contents. We do implement algorithms to reduce the impact of this where possible.

We use email service SendGrid to track email opens, clicks and bounces. Our simulated phishing emails contain non-copyright brands, with non-offensive content. 

The sender domain will always be but with a spoofed <from> address.

example of cybsafe phishing sender

The tracking url will always contain from SendGrid, where only CybSafe are authorised to use this subdomain. For secure use in an allow list, we recommend to include the subdomain:

CybSafe do not send file attachments in emails.

Users may be encouraged to enter data as part of the phishing simulation. CybSafe will only capture the metadata surrounding the event, at no stage is input data recorded, analysed or retained in any way. Users who click through a phishing email are redirected to a learning page that provides information on the simulated attack and advice on how to avoid similar attacks in the future.

Triage advice

In addition to the allow list of domains/IP addresses, CybSafe emails always contain HTML with the following signature (note this is an example, the ID is unique to the email):

<div title="cs-unique-ref:1b54b04f-80fc-47d3-b474-702167740795;">

The HTML shown in BOLD will always be present, so email triage can be automated with an HTML body search for “cs-unique-ref”.

Useful resources

Did this answer your question?