Symantec Phishing Readiness FAQ
search cancel

Symantec Phishing Readiness FAQ

book

Article ID: 150736

calendar_today

Updated On:

Products

Email Security.cloud Phishing Readiness Email Threat Detection and Response

Issue/Introduction

 You would like to use Phishing Readiness tool in your organization.

Resolution

Do Data Exposure Assessments capture sensitive data?

When performing a Data Exposure Assessment, the platform utilizes a landing page to collect results from users who click through on the phishing email.

It is important to note that Symantec does not capture or store any information sent through these landing pages. Users who enter sensitive information - such as login credentials - into an untrusted landing page represent a significant risk to your organization.

The Data Exposure Assessment will detect the fact that the user submitted information to the landing page, but it will not capture or store this information. For this reason, Symantec has no way of knowing exactly what information the user submitted - just that they submitted something to the untrusted site.

 

Assessment results incorrectly report Open events

The detection of whether a user opens an assessment email or not depends on a number of factors. Generally, the open event will be detected if the user's email client is configured to load remote content and images.

Many email clients disable this behavior be default. This may cause the number of open events to be reported lower than expected.

Given the comparatively low risk of an open event when compared to a click, attachment, or expose event, the presence (or absence) of open events should not be used as a primary indicator of user susceptibility to phishing attacks.

Note that any click, attachment, or expose events will also generate a corresponding open event even if the original open event was not captured.

 

How do I start an assessment?

From the menu bar, select "Assessments", then choose "New". Then choose the assessment type.

For more detailed instructions on each type of assessment, continue to one of the following articles:

  • Open/Click Assessment
    • Used to measure user's susceptibility to open phishing emails and clicking on untrusted/unknown links
  • Attachment Based Assessment
    • Used to measure user's susceptibility to opening attachments sent in phishing emails
  • Data Exposure Assessment
    • Used to measure user's susceptibility to entering data in an untrusted website

 

How do I clone an existing Assessment?

From the Assessment list view, you can clone any existing Assessment by clicking "Actions" > "Clone" button, seen when you hover over the Assessment name. This will create a new Assessment with all of the same settings as the previous Assessment.

What does the "contains unauthorized target domains" error mean?

If you encounter the error message

"contains unauthorized target domains"

when creating an Assessment, you are attempting to send an Assessment to users with email addresses outside of your company's domain. If your company domain is company.com, all target users must have an email address @company.com.

If you have more than one email domain, please contact the Support Team to verify ownership and add additional domains.

 

What are the different template types?

Much of the messaging delivered in a phishing assessment is driven by the use of dynamic templates. There are four different types of templates.

Email Templates

Email templates are used as the basis for your phishing assessment. This content will be sent to each target user. Consider the expected technical aptitude of the target users when selecting an email template. A perfectly crafted template may not be representative of typical phishing attacks against your organization. A poorly crafted template may be obviously fake to your target users.

Landing Page Templates

Landing page templates are used as phishing sites for users that click on links in your phishing emails. This content will be typically be used to test your users' susceptibility to divulging credentials or other sensitive information. A landing page template must contain at least one HTML form. This can be easily inserted into the template using the {{FORM.EN_US}} token from the template editor.

Notice Templates

A training notice informs the about what just happened when they clicked on a phishing email, opened an attachment, or submitted data to a phishing form. The training notice should explain to the user what action they are expected to take next.

Training Page Templates

Training page templates are used as a notification to users letting them know what happened when they clicked a link in a phishing email, opened an attachment or submitted sensitive data on a landing page. A training page template must contain at least one {{TRAINING_LINK.EN_US}} token. This will direct the user to your customized training content.


What are dynamic tokens and how are they used?

Tokens are used to insert dynamic content into various templates. As an example, you might use tokens to dynamically insert the value of a target user's name.

To learn about all of the tokens available and which templates they can be used in, see How to use dynamic tokens in templates.


Do I need to whitelist IP addresses?


It is not required, but it is recommended to whitelist the Symantec mail server (MTA) IP addresses to ensure delivery of your assessment emails.

The IP addresses to whitelist are:

  • 54.163.249.247 (mx-a.blackfin.io)
  • 54.163.250.3 (mx-b.blackfin.io)

 

If your mail gateway and/or servers allow whitelisting by email header content, see how to whitelist specific email headers below.

 

Do I need to whitelist specific email headers?


It is not required, but it is recommended to whitelist emails that contain a special email header to indicate the email was sent as part of a phishing assessment.

If you mail server support header-based whitelisting, you should allow delivery for all mail with the header: X-Blackfin-Assessment present. The value of this header will be unique for every assessment, but its presence indicates that the message was sent by the Symantec Security Platform.