Skip to main content
All CollectionsPHISHInitial setup
Explainer: How PHISH tracks opens & clicks
Explainer: How PHISH tracks opens & clicks

Understand how to we track CybSafe phishing emails

Robert Shough avatar
Written by Robert Shough
Updated over a week ago

Tracking simulated phishing emails

CybSafe phishing tracks the "opens" of an email using a unique hidden image pixel to record an open event. This however has some technical limitations:

  • It will vary amongst mail clients and configuration, but if "automatically download external images" is disabled or blocked, then an open event is not captured.

  • Some inbound mail gateways open images automatically to scan the contents. We do implement algorithms to reduce the impact of this where possible.

The sender domain will always be cs-mail-sender.com but with a spoofed <from> address.

From June 20th 2024:

The sender domain will always be email.cs-mail-sender.com but with a spoofed <from> address.

example of cybsafe phishing sender

Emails contain a tracking URL which uses the domain: https://u6197305.ct.sendgrid.net/

From June 20th 2024 this is changing to: https://l.cs-mail-sender.com

We do not send file attachments in emails.

Users might encounter a simulation that asks for data as part of the phishing simulation, over an encrypted HTTPS connection. CybSafe will only capture the metadata surrounding the event, at no stage is user inputted data recorded permanently, analysed or retained in any way. Users who click through a phishing email are redirected to a learning page that provides information on the simulated attack and advice on how to avoid similar attacks in the future.

Did this answer your question?