Get Started Book a Demo

HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

1st September 2025 | HowTo, MSP, Platform, Technology HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

This document explains how CyberHoot AttackPhish populates the various tracking fields when running phishing simulations. It defines the user actions that trigger each status and describes when additional training is assigned.

Field Definitions

Email Sent

  • Indicates the phishing simulation email has successfully been delivered to the recipient’s inbox.
  • This status does not confirm that the user has seen the email, only that the mail server accepted delivery.

Email Opened

  • Tracked when the recipient’s email client loads the hidden tracking pixel embedded in the phishing message.
  • If the reading pane is enabled in Outlook or another client that auto-loads images, simply previewing the email counts as “opened.”
  • If images are blocked and not downloaded, the system may not register an open, even if the email is viewed.

Clicked Link

  • Populates when the recipient clicks on the phishing link embedded in the email.
  • This action shows the user took the bait and attempted to interact with the malicious content.

Submitted Data

  • Indicates the recipient not only clicked the phishing link, but also entered information into the landing page (for example, username and password, or any requested form fields).
  • This represents a full compromise scenario where the user fell for the phish completely.

Training Assignment

CyberHoot automatically assigns remedial training when users demonstrate risky behavior:

  • Clicking a phishing link
  • Submitting data on the phishing page

Simply opening the email does not trigger training, since users may preview messages in the normal course of work.

Training is assigned as a short, targeted awareness assignment, reinforcing how to spot phishing attempts and reminding users not to click or submit information.

Key Notes

Metrics may underreport “opens” if users block image loading in their mail client.

Clicking a link is the most reliable indicator of risky behavior, since it requires an intentional user action.

Submitted data represents the most severe failure point and is treated as a critical incident for awareness training.

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Claude Mythos Opened Pandora’s Box. Project Glasswing Is Racing to Close It.
10th April 2026 | Blog

Claude Mythos Opened Pandora’s Box. Project Glasswing Is Racing to Close It.

A Practical Brief for vCISOs THE WARNING WE IGNORED OR COULD NOT UNDERSTAND For years, the most credible...

Read more
When the “CEO” Calls and Asks You to Move Money Fast
31st March 2026 | Blog

When the “CEO” Calls and Asks You to Move Money Fast

A guide to spotting senior executive impersonation scams before the fake CEO gets a real wire transfer. It...

Read more
When the Attack Looks Just Like You
24th March 2026 | Blog

When the Attack Looks Just Like You

Artificial Intelligence (or AI) is making phishing emails smarter, malware sneakier, and credential theft easier...

Read more
Get Started All Posts