How do I detect a false positive on a phishing campaign?

When administering phishing tests, you may find targets that fail tests, yet claim they did not click links or interact with landing pages.

False positives are most commonly caused by cloud-based email security software. Security software, email clients, and even web crawlers used by search engines can 'click' links, which will register as clicks in testing data. Using a combination of Hook Security, Inc internal tools and free third-party applications can help you identify false positives and ignore them in testing data.

Identifying False Positives

Identifying false positives can be difficult. A target may report that they did not click a link in a phishing test, but how can you be sure they are telling the truth? Every time a link is clicked our system will record it. This means if the email is forwarded and someone else clicks the link or if the link is clicked by 3rd party software as the email travels, the click will register to the emails recipient. As the emails travel from our servers to their destination it must pass through many networks, and may be scanned by security software and mail servers. These software's will check the emails for malicious content and might click links in the email. These clicks however are not natural and can be identified and their IPs whitelisted. We have identified two discrete data points that may help you determine whether a failure is a false positive or not.

Geodata & Environment

Every action registered in Hook Security, Inc is geolocated and has an associated operating system and browser. If an IP address registers an action, there is a DNS lookup performed that returns geolocation data on the IP address. The geolocation and environment data for a campaign can be found on the campaign's details page or generated in a report. If the geodata for the action is far away from the physical location of the target, then the action was most likely a false positive. Another thing to look at is if the reported browser version or operating system is a type or version not supported by your network. You can also get geodata for specific IP addresses using third-party DNS lookup tools.

Action Characteristics 

If you find a target fails and has clicked a link in an email, or opened the email many times then the actions are likely false positives. If you see that the behavior for a group of targets looks identical, as in all targets from a block of similar IPs open->click->view without deviation, that is a tell of false positives. If those actions for a target also happened at the same time that is another indicator. For example if target 1 had 3 actions all at 3:01pm, target 2 had 3 actions all at 3:34pm and target 3 had 3 actions all at 4:00pm etc. Software tends to interact with emails many times, whether it be for security or malice. If the behavior recorded for a specific email in a campaign has many actions that do not look like typical human behavior, then it is likely a false positive. Bot behavior tends to look a certain way. Unnatural actions will occur on the same user at the same time  

User Agent

If the actions are coming from user agents that are known bots, then the actions are most likely false positives. You can use the following tool to look up the user agents to help determine if an action is possibly coming from a bot: https://user-agents.net/bots

Examples of known user agents that cause false positives: Lua,  ApacheGoogle AdsBot.

Triage

If you believe an IP address is registering false positives, the best course of action is to do a DNS lookup on the IP address. There are many free DNS lookup tools available, such as who.is. They will relay geographic and ownership information for any IP address. Most cloud-based email security providers will have IP addresses registered for their company, and a DNS lookup will expose that information. However, this isn't always the case, and a DNS lookup, aside from the geographic location of the IP address, does not always provide useful information. This is why it is important to have a deep understanding of your network and infrastructure, it will make it easier to identify false positives if there is less information available when you investigate. There could be a number of entities registering false clicks on emails, ranging from email security software, antivirus, and email clients to bad actors that have obtained a user's login information or malicious bots that are listening to the inbox. Regardless, the DNS lookup is the best tool available to use to try to pinpoint the cause of false clicks. In the case of cloud-based email security software (the most common culprit), many providers list their IP ranges in their support documentation. 

More often than not real clicks are going to come from the same IP address or geographic area of the target, if there isn't client-side software that is interacting with the emails, such as an email client or antivirus. If that is the case, then it may be useful to review the full user/agent data for the request that registered the action.

Filtering False Positives

If you can identify the IP addresses, ranges, or blocks that are registering the false clicks with a certain amount of confidence, those IP addresses can be excluded from testing data on the Phishing Settings page.