Phishing Reports: How to read and analyze Stats of a Ransomware Simulation or a File based Phishing Attack

How do you read the results of a Phishing Campaign containing an file attachment or even of a Ransomware Simulation? A hands-on example explains how to get campaign insights and how to read LUCY Phishing Reports.

The initial situation and the question

You prepared a file based phishing scenario. The attachement is a word file containing a ‘malicious’ macro. And now you want to track the results.

Say you sent 50 messages, 20 were clicked (good campaign!), vou got 2 file downloads and 1 user activated the macros.

The Question: How can you list the users who downloaded the file, but didn’t activate the macros? For example you’re should have a list of 2 users somewhere for this but you can’t find it.

The Answers: Analyzing the Phishing Reports

1. Who downloaded the File and who did activate the macros? You can see who clicked, and who executed the file (success) in CSV for example (here’s an example of mixed scenario with macro) and the success condition set to “Data Submit”. As you can see it’s only the last user who downloaded AND executed the file has a ‘success entry’. The user who only accessed the file has only a success entry at link click (column ‘clicked):

Who clicked on the File Link? Who even activated the Word Macro in the File - Analyzing Campaign Reports generated by LUCY Anti-Phishing Server

2. Download summaries are visible in overall stats:

Summary Report on the amount of people who downloaded a attachement from a LUCY Phishing Simulation / Attack

3. See in detail how downloaded what and how was the success: But if you want to see in detail who downloaded a file you can sort the phishing report list by a variable that only appears if the user accessed the webpage (e.g. plugins) and then you can see in the details if the user downloaded the file and executed the file (= The check mark at “Successful Attack”)…

details if the user downloaded the file and executed the file. This is a success event of a file based phishing simulation

…or only accessed the link, downloaded the file, but did not execute the file (no success check mark):

A user downloaded the file but he didn't activate the word macro. This means that this particular phishing attack was not successful. Success Checkmark is empty - Antiphishing Simulation with LUCY Server

5. Alternative: Analyze transmitted Data back to LUCY – Another possibility to track only users who executed the simulation is to actually see under “Collected Data”. Such an event when a user is clicking a link/file is reported back to LUCY: 

When a user clicks on a link or a file, this information is send back to LUCY Phishing Server and is available for further analysis under the Menu "Collected Data"

Happy Reporting with LUCY Anti-Phishing and Awareness Training Server!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *