PhishSim Reply Tracking
Table of Contents
Introduction
A Business Email Compromise (BEC) attack involves requesting a direct email reply (generally containing some type of information related to a business) and does not require a victim to click on any links. Infosec allows admins to track if their learners respond back to these types of emails. While reply tracking is intended for use with BEC templates, it can be enabled and used in conjunction with any template type.
There are also advanced settings that allow you to see if the reply matches a certain pattern, or to store the reply for up to 14 days. This article will discuss the different setting options and how an admin can view the results.
Note: Reply tracking cannot be used when spoofing an email sending domain.
Campaign Settings
In the PhishSim Campaign Creator, there is a section labeled Learner Replies where an admin can enable reply tracking for that specific campaign. When the box is checked, the admin will be able to see if a learner responded to the email in the campaign reports. There are also advanced options that an admin can enable:
Match Patterns
If an admin plans to send out a BEC attack to see if the learner responds back with sensitive information, but doesn’t want to see the actual response, this option is the best as it allows an admin to see if the information shared matches a certain pattern. There are some pre-built expression options available, otherwise, an admin can add a custom string.
For example, let’s say an admin selects a template that is requesting credit card information from the learner. An admin can select Match Patterns and specify that they want to know if the learner shares a credit card number:
With this option selected. An admin can see in reports if a learner entered a pattern that matches the credit card expression, without seeing the actual credit card number.
Store Reply for 14 Days
This option will enable an admin to view the learner’s actual response in the campaign details. The admin can delete the reply after viewing, otherwise, it will be automatically deleted after 14 days.
No Additional Action
This option is enabled by default. When selected, an admin can only see if a learner has responded to an email in reports.
Viewing Results
An admin can view the results of their campaign in the campaign details and other reports available in Infosec IQ. To specifically view if/what a learner responded back with, this can found in the campaign details:
- Navigate to the PhishSim dropdown menu and select Campaigns
- Hover over the campaign of interest, and select details
- Click on the bar graph next to the overall phished rate percentage
- Click on Email Status to sort alphabetically to find either:
- Replied
- Matched Pattern
- To view the reply or what pattern was matched, click on the email status
Example of Matched Pattern:
Example of Store Reply for 14 Days:
Vacation Responses
Automatically generated responses such as vacation or “out of office” messages will not be counted against reply tracking as long as one of the following conditions are met:
- The email header
X-Autoreplyis present. - The email header
auto-submittedis equal toauto-replied. - The email header
auto-submittedis equal toauto-generated. - The email subject contains
out of officeorautomatic reply(case-insensitive).