Users may contact you to say they did not interact with your phishing simulation and question why they are listed as someone who opened the email, clicked on the link or opened the attachment in your campaign. This is something that may also appear when you are testing our product. This can be the result of false positives and may be an indication that a bot or sandbox has interacted with the email before it reached the employee. We recommend that you follow our instructions to add Phish Insight to your Allow List. 

Note: To add Phish Insight URL's to your Allow List, kindly sign in to your account, open the chat widget at the lower-right corner and go to Allow List > Add Phish Insight to your Allow List.

How Phish Insight helps you identify false positives 

When your phishing simulation campaign is complete we will scan all your results and try to identify behavior that came from a sandbox. When the scan is complete we will classify your results under the following categories: 

  • Sandbox activities 
  • Uncertain sandbox activities 
  • Actual user activities 

What does "Sandbox activities" mean?

Phish Insight hides records that we can confidently identify as a bot. We use the following rules.

  • Unusual Interaction IP (The IP clicks a hidden link in the simulation email)
  • Unusual User Agent (e.g. Java or Python) 
  • Unusual OS (e.g. Windows Vista or XP)
  • Unusual User Agent with OS (ex: using IE on Mac) 

How does Phish Insight detect Uncertain sandbox activities?

If we identify records that may be a sandbox we will classify the records as “Uncertain sandbox activities”. These records require your review to determine if they should be counted as part of your campaign results. We use the following rules to classify these records: 

  • A user clicks more than 3 times within 3 seconds 
  • An IP clicks on more than 2 users

How to review uncertain sandbox activities?

You can review these activities and determine if they are indeed sandbox activities or actual user activities.

  1. Go to Campaigns and click the name of your campaign.
  2. Click Review now.
  3. Carefully review the uncertain sandbox activities. When you are ready to reclassify them click the checkbox and then select “Mark as actual user activities” or “Mark as sandbox activities”. If you mark the records as sandbox activities, they will be excluded from your campaign results. If you mark the records as actual user activities, they will be included in your results.  

Tip: Here are three ways to determine if a record is from a sandbox or not.  

  • Filter by B1 & B2 rule 
  1. Click Add filters drop-down menu > select Rule
  2. Select Rule drop-down to filter the list by B1 & B2 
  3. According to customer feedback, the uncertain sandbox activities that meet B1 & B2 rule have high accuracy as sandbox activities in different customer environments. We recommend you mark those uncertain sandbox activities that meet the B1 + B2 rule as Sandbox activities. 

  • Filter by unique users/IPs 
  1. To change activities type, click the All activities drop-down > select Uncertain sandbox activities. 
  2. Change the browse by records value to Unique users or Unique IPs. 
  3. The responses or IPs with unusually high frequency are most likely to be sandbox activities.  
    • Browse by unique users 
    • Browse by unique IPs
  4. We suggest marking those uncertain sandbox activities with an unusually high frequency as sandbox activities. 

  •   Filter by unique users/IPs
  1. Click Add filters drop-down menu > select Data entered (user name). 
  2. Click Data entered (user name) drop-down > input your company’s email domain.  
  3. Also, add another filter to the list by select Data entered (Password). 
  4. From the Data entered(password) drop-down, select Entered. 
  5. Mark those uncertain sandbox activities as actual user activities