How do you read the results of a Phishing Campaign containing an file attachment or even of a Ransomware Simulation? A hands-on example explains how to get campaign insights and how to read LUCY Phishing Reports.
The initial situation and the question
You prepared a file based phishing scenario. The attachement is a word file containing a ‘malicious’ macro. And now you want to track the results.
Say you sent 50 messages, 20 were clicked (good campaign!), vou got 2 file downloads and 1 user activated the macros.
The Question: How can you list the users who downloaded the file, but didn’t activate the macros? For example you’re should have a list of 2 users somewhere for this but you can’t find it.
The Answers: Analyzing the Phishing Reports
1. Who downloaded the File and who did activate the macros? You can see who clicked, and who executed the file (success) in CSV for example (here’s an example of mixed scenario with macro) and the success condition set to “Data Submit”. As you can see it’s only the last user who downloaded AND executed the file has a ‘success entry’. The user who only accessed the file has only a success entry at link click (column ‘clicked):
2. Download summaries are visible in overall stats:
3. See in detail how downloaded what and how was the success: But if you want to see in detail who downloaded a file you can sort the phishing report list by a variable that only appears if the user accessed the webpage (e.g. plugins) and then you can see in the details if the user downloaded the file and executed the file (= The check mark at “Successful Attack”)…
…or only accessed the link, downloaded the file, but did not execute the file (no success check mark):
5. Alternative: Analyze transmitted Data back to LUCY – Another possibility to track only users who executed the simulation is to actually see under “Collected Data”. Such an event when a user is clicking a link/file is reported back to LUCY: