False Positives on Attachments ?!


So, I sent out my first phishing email test. Days later, I sent the 15 minute training session to my clicker group. Some are saying, of course, that it wasn’t opened. I show a time stamp and IP address. Is there anyway, and I’m doubtful, a false positive could have been reported?

(Dan) #2

Opened and clicked are 2 different things. What email client are you using. I know that Outlook, for instance, if the preview pane is on…that is the same as opening the email.

(Chris Holt) #3

In my testing, I’ve found that the preview pane is not responsible for opening detection, rather it is clicking “show images” or “show content” that allows the serialized images (web bugs) to be downloaded.
This is using Outlook 2013


That is good to know. We will be starting our first phishing campaign in the coming weeks.


Right! Clicking is not as scary as opening the attachment. We are all using OutLook 2010 on our internal computers.

(Lou Bolanis) #6

I think an ounce of perspective is worth a pound of assumptions. If IT / end user awareness training staff begin from the perspective that most normal users don’t wake up in the morning and plan to be careless or cause harm…the tone of any interaction with end users (training or otherwise) benefits. It’s important to read your audience and get a feel for how much detail they’re comfortable consuming and how readily they’re able to “learn” and “retain” knowledge.

IT / InfoSec staff know that there are differences between the following 3 scenarios (and inherent risks with each as well):

  1. Viewing an email in your inbox with “show image” or “web content” preview turned “off” but not “clicking” on anything
  • Safest option (nothing live & hiding in the background phones home)
  • Hyperlinks are still live and can result in an Social Engineering (SE) exploit click
  1. Viewing an email in your inbox with “show image” or “web content” preview turned “on” but not “clicking” on anything
  • Risky due to active exploits leveraging web code & image rendering
  • Risky due to track-back unique image calls (GETs/PUTs) against a uniquely named image to indicate “opened” or “viewed”
  1. Viewing an email in your inbox with “show image” or “web content” preview turned “on” and “clicking” on anything
  • Risky for all reasons above as well as directly launching code by user action

The key to successfully training users is to provide value to them, in their context; people pay attention when they find value. If you make users aware of things like back-tracking (as an example), by explaining "if you preview an image, your browser or email reader registers a ‘read’, this ‘read’ lets the bad guys know you’re a target that they can victimize - more SPAM ‘will’ come. Conversely, if you don’t ‘read’ then you’re in stealth mode (for the most part). The end-user value in this case is “less SPAM”. This extra little bit of info provides just enough to involve them, encourages partnership, avoids the perception of being talked down to (if done correctly), and offers a practical (non-IT) reason for user adherence to best practices.