Understanding BullPhish ID email tracking behaviour

Introduction

BullPhish ID employs a specific email tracking behaviour to monitor the status of emails sent in phishing campaigns. This tracking system offers essential insights to security teams and administrators, guaranteeing the accurate recording of recipient interactions with these emails. This article delves into how this tracking system works, why some recipients avoid interacting with these emails, and how security teams can verify the authenticity of phishing test emails.

Email tracking behaviour

Link-Based Tracking: Each email sent through BullPhish ID campaigns is equipped with tracking links. These links are designed to monitor the intended status of the email.
Post-Delivery Monitoring: After email delivery, BullPhish ID actively observes the status of these links, taking into account recipient interactions. This includes both the intended recipient and anyone to whom the email was forwarded.
Email Forwarding: If a forwarded phishing test email is interacted with by another end user, BullPhish ID will maintain tracking of the relevant status, just as it was for the initial target.

Recipient avoidance

The IT teams responsible for reviewing reported phishing emails should be informed about BullPhish ID's phishing tests. This information is crucial to ensure they exercise caution when interacting with these emails to avoid inadvertently changing the status.

Incorrect email status/whitelisting

In scenarios where BullPhish ID (BPID) IPs and domains have not been correctly whitelisted by end users, unforeseen interactions with BPID emails can occur. These interactions may be initiated by external entities such as firewalls and third-party platforms.

These unplanned interactions can lead to unexpected outcomes in the email tracking process, potentially resulting in inaccuracies in the campaign status. Therefore, ensuring that BPID IPs and domains are properly whitelisted is essential to maintain the integrity of campaign tracking and reporting.

Additional context

If an end user opens the email, BullPhish ID tracks the status as Email Opened.
When links in the email are clicked, BullPhish ID tracks the status as Links Clicked.
If an end user submits credentials in response to a phishing test email, BullPhish ID tracks the status as Data Submitted.
If a phishing test email is forwarded to another end user who then interacts with it, BullPhish ID continues to track the relevant status.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.