What is a sandbox?

A sandbox is an email security mechanism that scans URLs and attachments on all your incoming emails. This mechanism can lead to false positives when tracking the “Open Mail”, “Click Link”, “Click Attachment” and “Post Credentials” actions from your users in a campaign. It is important to run test simulations to try to identify if a sandbox is impacting your results. Phish Insight has implemented logic to try to identify sandbox activity for you however it is still important that you also check.

How does Phish Insight detect sandbox records?

While we cannot openly share all the logic we use to detect sandboxes Phish Insight will mark a record as a sandbox if the action came from:

  • an obsolete browser or operating system
  • unusual combination of browser and operating system (e.g. IE on Mac OS)
  • a user with multiple "Click" actions recorded within a period of time
  • a user with multiple recorded IP addresses

How can I prevent sandbox records from appearing on my reports?

We recommend that you identify any security software in your organization that uses a sandbox to check your emails. You can then configure it to bypass Phish Insight emails. You can find the details about our email sender and server IPs here.

 

Phish Insight also gives you the ability to manually hide sandbox records from your report.

  1. Log in to Phish Insight.
  2. Go to Report > Phished users > Phished users report.
  3. Click the "Eye" symbol under the Visibility column for the record you want to hide. This record will also be removed on the Campaign Overview and will affect the Phished % data. You can enable "Include hidden records" to view these records and unhide them back.