HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

This document explains how CyberHoot AttackPhish populates the various tracking fields when running phishing simulations. It defines the user actions that trigger each status and describes when additional training is assigned.

Field Definitions

Email Sent

• Indicates the phishing simulation email has successfully been delivered to the recipient’s inbox.
• This status does not confirm that the user has seen the email, only that the mail server accepted delivery.

Email Opened

• Tracked when the recipient’s email client loads the hidden tracking pixel embedded in the phishing message.
• If the reading pane is enabled in Outlook or another client that auto-loads images, simply previewing the email counts as “opened.”
• If images are blocked and not downloaded, the system may not register an open, even if the email is viewed.

Clicked Link

• Populates when the recipient clicks on the phishing link embedded in the email.
• This action shows the user took the bait and attempted to interact with the malicious content.

Submitted Data

• Indicates the recipient not only clicked the phishing link, but also entered information into the landing page (for example, username and password, or any requested form fields).
• This represents a full compromise scenario where the user fell for the phish completely.

Training Assignment

CyberHoot automatically assigns remedial training when users demonstrate risky behavior:

• Clicking a phishing link
• Submitting data on the phishing page

Simply opening the email does not trigger training, since users may preview messages in the normal course of work.

Training is assigned as a short, targeted awareness assignment, reinforcing how to spot phishing attempts and reminding users not to click or submit information.

Key Notes

Metrics may underreport “opens” if users block image loading in their mail client.

Clicking a link is the most reliable indicator of risky behavior, since it requires an intentional user action.

Submitted data represents the most severe failure point and is treated as a critical incident for awareness training.