Get Started Book a Demo

HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

1st September 2025 | HowTo, MSP, Platform, Technology HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

This document explains how CyberHoot AttackPhish populates the various tracking fields when running phishing simulations. It defines the user actions that trigger each status and describes when additional training is assigned.

Field Definitions

Email Sent

  • Indicates the phishing simulation email has successfully been delivered to the recipient’s inbox.
  • This status does not confirm that the user has seen the email, only that the mail server accepted delivery.

Email Opened

  • Tracked when the recipient’s email client loads the hidden tracking pixel embedded in the phishing message.
  • If the reading pane is enabled in Outlook or another client that auto-loads images, simply previewing the email counts as “opened.”
  • If images are blocked and not downloaded, the system may not register an open, even if the email is viewed.

Clicked Link

  • Populates when the recipient clicks on the phishing link embedded in the email.
  • This action shows the user took the bait and attempted to interact with the malicious content.

Submitted Data

  • Indicates the recipient not only clicked the phishing link, but also entered information into the landing page (for example, username and password, or any requested form fields).
  • This represents a full compromise scenario where the user fell for the phish completely.

Training Assignment

CyberHoot automatically assigns remedial training when users demonstrate risky behavior:

  • Clicking a phishing link
  • Submitting data on the phishing page

Simply opening the email does not trigger training, since users may preview messages in the normal course of work.

Training is assigned as a short, targeted awareness assignment, reinforcing how to spot phishing attempts and reminding users not to click or submit information.

Key Notes

Metrics may underreport “opens” if users block image loading in their mail client.

Clicking a link is the most reliable indicator of risky behavior, since it requires an intentional user action.

Submitted data represents the most severe failure point and is treated as a critical incident for awareness training.

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

PromptSpy: The Android Malware That Hired an AI Assistant
3rd March 2026 | Blog

PromptSpy: The Android Malware That Hired an AI Assistant

And yes, Google's Gemini AI had no idea it was working for the bad guys. Malware has always followed a script....

Read more
Ransomware Entry Points are Changing. Here Is What to Do About It?
24th February 2026 | Blog

Ransomware Entry Points are Changing. Here Is What to Do About It?

Ransomware groups are not breaking in organizations the same way they did five years ago. The entry methods have...

Read more
Malicious Chrome Extension Disguised as a Business Tools
17th February 2026 | Blog

Malicious Chrome Extension Disguised as a Business Tools

If a Chrome extension promises to remove security pop-ups and generate MFA codes, that should make you...

Read more
Get Started All Posts