HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

HowTo: Understand CyberHoot AttackPhish Field Definitions and Training Workflow

This document explains how CyberHoot AttackPhish populates the various tracking fields when running phishing simulations. It defines the user actions that trigger each status and describes when additional training is assigned.

Field Definitions

Email Sent

  • Indicates the phishing simulation email has successfully been delivered to the recipient’s inbox.
  • This status does not confirm that the user has seen the email, only that the mail server accepted delivery.

Email Opened

  • Tracked when the recipient’s email client loads the hidden tracking pixel embedded in the phishing message.
  • If the reading pane is enabled in Outlook or another client that auto-loads images, simply previewing the email counts as “opened.”
  • If images are blocked and not downloaded, the system may not register an open, even if the email is viewed.

Clicked Link

  • Populates when the recipient clicks on the phishing link embedded in the email.
  • This action shows the user took the bait and attempted to interact with the malicious content.

Submitted Data

  • Indicates the recipient not only clicked the phishing link, but also entered information into the landing page (for example, username and password, or any requested form fields).
  • This represents a full compromise scenario where the user fell for the phish completely.

Training Assignment

CyberHoot automatically assigns remedial training when users demonstrate risky behavior:

  • Clicking a phishing link
  • Submitting data on the phishing page

Simply opening the email does not trigger training, since users may preview messages in the normal course of work.

Training is assigned as a short, targeted awareness assignment, reinforcing how to spot phishing attempts and reminding users not to click or submit information.

Key Notes

Metrics may underreport “opens” if users block image loading in their mail client.

Clicking a link is the most reliable indicator of risky behavior, since it requires an intentional user action.

Submitted data represents the most severe failure point and is treated as a critical incident for awareness training.

    • Related Articles

    • HowTo: Allow-List CyberHoot’s AttackPhish Simulation Servers in M365

      Detailed Instructions From Microsoft: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwide Once you click the link above, follow the instructions under ...

    • HowTo: Dark Web Workflow

      Dark Web Reporting Within CyberHoot: CyberHoot offers dark web monitoring and reporting for its clients by scanning user email addresses against known dark web breach databases. Any exposures found are reported directly through the CyberHoot console ...

    • HowTo: Allow-List CyberHoot’s Domain Name and IP Addresses – Google Workspace

      New CyberHoot businesses need to allow our training and phishing emails to reach their user’s inboxes directly. This article describes the two steps needed to make this happen. Note: If you wish to create an allow-list just for yourself personally ...

    • HowTo: Allow-List CyberHoot – Personal Gmail Account

      If you sign up to receive CyberHoot BootCamp as an individual, you may need to allow-list the CyberHoot Domain in your own personal Gmail account. Here’s the instructions in a quick video for how to accomplish that. https://youtu.be/VzXBGn-g5eI ...

    • HowTo: Optional Training Assignments on Power Platform

      Overview CyberHoot gives you the flexibility to assign policies, videos, and programs to your users as optional learning resources. These assignments are ideal for offering valuable training without triggering repeated reminders or enforcing strict ...