Core concepts
Template: content for emails, landing and intervention pages that is dynamically populated with user specific data and tracking when the simulation is sent.
Simulation: the combination of email and landing page used to simulate a phishing attack and educate users when they perform high risk behaviours.
Phishing email: the simulated phishing content sent to the user’s inbox with a link through to the assigned landing page.
Landing page: the web page that tests for high risk behaviour, like submitting account detail
Intervention page: the web page explaining that the user has fallen for a simulated phishing attack and how to improve next time.
Template library: collection of templates.
Customisation: modifying an existing template or creating your own from scratch.
Fire & forget: a template setting that adds or removes templates from a large pool that the scheduler can randomly select from.
For more information on running phishing campaigns, why not check out our article on The CybSafe way to PHISH [LINK]
Allowlisting simulated phishing emails
To make sure our simulated phishing emails reach your users, you need to arrange for the following IP address and domain to be allowlisted in your mail servers (you may need your IT department to enable this):
IP 167.89.33.127 /cs-mail-sender.com / Simulated Phishing attacks
If you are using a mail filter, both your email solution and inbound gateway (Filter) needs to be allowlisted.
For more information about allowlisting, click here.
What can you do with CybSafe PHISH?
For more information on creating phishing campaign creations visit the 'Phishing campaign creation' article here.
Advanced campaign settings
By selecting “Advanced” you have the option of customising your campaign further still:
Here you can set the Campaign period, a start and end date for when you want your campaign to run. You can also set the hours in which you want the phishing emails to go out.
Please note that currently these times are for GMT only, so adjust accordingly for your time zone.
Specific groups can also be chosen to be enrolled in a campaign. If selected then only the chosen groups will receive phishing emails.
For more information on how to set up groups check out our article on Group Management.
Finally, you have the option to turn on custom email selection. If this is turned on then you will be able to select which phishing emails you want to include in a specific campaign.
Simply select which emails to include with the checkbox and select “add to campaign”. The chosen emails will then appear on the right hand menu under “Campaign templates”.
To assist you in selecting, you are able to preview both the email itself and the simulated attack website.
PHISH activity log
The 'Activity log' tab reveals information on simulated phishing activity. It shows when simulations were sent. It shows to whom simulations were sent. It shows simulation subject lines. And it shows if and how users responded.
You can filter emails by status too. Here is a full list of each status an email can have and what they mean:
Processed - Requests from CybSafe that have been processed.
Clicks - Whenever a recipient clicks one of the Click Tracked links in a CybSafe email.
Delivered - The accepted response generated by the recipients' mail server.
Opens - The response generated by a recipient opening a CybSafe email.
Deferred - The recipient mail server asked to stop sending CybSafe emails so fast.
Unsubscribe - Whenever a recipient unsubscribes from CybSafe emails.
Drops - Dropped emails occur when the contact on a CybSafe email is in one of our suppression groups, an email has previously bounced, or the recipient has marked CybSafe emails as spam.
Bounces - The receiving server could not or would not accept the email. If a recipient has previously unsubscribed from CybSafe emails, our attempt to send to them is bounced.
Spam Reports - Whenever a recipient marks CybSafe emails as spam and their mail server tells us about it.
Advanced simulated phishing information
Tracking simulated phishing emails
CybSafe phishing tracks the "opens" of an email using a unique hidden image pixel to record an open event. This however has some technical limitations:
It will vary amongst mail clients and configuration, but if "Automatically download external images" is disabled or blocked, then an open event is not captured.
Some inbound mail gateways open images automatically to scan the contents. We do implement algorithms to reduce the impact of this where possible.
We use email service SendGrid to track email opens, clicks and bounces. Our simulated phishing emails contain non-copyright brands, with non-offensive content.
The sender domain will always be cs-mail-sender.com but with a spoofed <from> address.
The tracking url will always contain https://u6197305.ct.sendgrid.net from SendGrid, where only CybSafe are authorised to use this subdomain. For secure use in an allow list, we recommend to include the subdomain: u6197305.ct.sendgrid.net
CybSafe do not send file attachments in emails.
Users may be encouraged to enter data as part of the phishing simulation. CybSafe will only capture the metadata surrounding the event, at no stage is input data recorded, analysed or retained in any way. Users who click through a phishing email are redirected to a learning page that provides information on the simulated attack and advice on how to avoid similar attacks in the future.
Triage advice
In addition to the allow list of domains/IP addresses, CybSafe emails always contain HTML with the following signature (note this is an example, the ID will change):
<div title="cs-unique-ref:1b54b04f-80fc-47d3-b474-702167740795;">
The HTML shown in BOLD will always be present, so email triage can be automated with an HTML body search for “cs-unique-ref”.
Useful resources
Useful articles
The CybSafe way to PHISH [ADD LINK]
