Defining Email Opened – Proofpoint

Situation – Define Email Opened in Phishing campaigns

Version – Proofpoint Essentials Security Awareness Phishing

Summary – Email opened means the tracking image in the phishing email was loaded

Question

What does ‘Email Opened’ mean in the phishing reports?

Answer

Email Opened means the tracking image in the body of the email that was sent to the end-user was loaded. The tracking image is a transparent 1×1 .gif pixel located in the body of the email. The URL to a tracking image is unique for each user within each campaign. The URL to the image contains the landing domain that was selected in the phishing template along with the user GUID. The user GUID is a unique string that identifies a user within a campaign. You can find the user GUID in the  Export Data to CSV report.

http://landing-domain/pixel_user-GUID.gif
http://www.securebankingsevices.com/…8dad9f8c0e.gif

When a tracking image is loaded one could infer that the user has viewed the email message in his/her email client, however in some cases ATP and proxy services may sandbox and/or cache the tracking image leading to false positives.  Also, Email Opened may not always work based on how the user’s email client is configured. For example, Microsoft Outlook and Lotus Notes traditionally are configured by default to restrict access to remote images so a user may actually have viewed the email but since the image is blocked it does not show in the reports. See the example below.

If the user chooses to allow remote images, the user is then marked as having opened the email.

Again, the ability for us to detect this depends on the user’s email client configuration. Apple (iOS) devices fetch remote images by default, for example.

Phishing Attachment Campaign CSV Header Definitions – PSAT (Measure)

Blocked Images in Teachable Moment – PSAT (Educate)