If a webhook URL is set on a campaign or on the Account Settings page and a target completes an action during a test, the PhishingBox server will post a JSON object to the webhook URL containing information about both the target, the test, and any auto-enrollments created as a result of the action.
Example JSON:
{ "member": { "id": "d5ac1721-c5ea-465e-bcc5-dc3c6a2d4194", "email": "jodoe@example.com", "first_name": "John", "middle_name": "Michael", "last_name": "Doe", "company": "Example Corp", "title": "Software Engineer", "address_one": "123 Main St", "address_two": "Apt 4B", "city": "Metropolis", "state": "NY", "zip": "10001", "country": "USA", "phone_business": "555-1234", "phone_business_fax": "555-5678", "phone_mobile": "555-9876", "department": "Engineering", "language": "en_US", "timezone": { "name": "America/New_York", "offset": -4 }, "manager": "Jane Doe", "manager_email": "jdoe@example.com", "integration_id": "X-CY10CKHBRZKSqXfzrx6w2", "optional_1": "Optional field 1", "optional_2": "Optional field 2", "optional_3": "Optional field 3", "last_failed": "2024-06-25 10:32:56", "is_active": true, "datetime_added": "2024-05-28 16:47:44", "datetime_updated": "2024-05-28 16:47:44", "datetime_deactivated": null, "employee_id": "EMP123456", "group": { "id": "214c17b0-1576-4c2f-b5f1-6d956e0a52a9", "name": "Example Group", "is_active": true, "service_type": "Coursera", "auto_sync": true, "smart_sync": false, "date_created": "2024-05-28 16:47:43", "datetime_created": "2024-05-28 16:47:43", "date_updated": "2024-05-28 16:47:44", "datetime_updated": "2024-05-28 16:47:44", "integration_id": "EyynMg-X-s01", "targets": 3, "custom_fields": [] } }, "test": { "id": "f22bfada-68d0-4eb1-9200-69f0916ddcf9", "name": "Example Test #1", "sent_date": null, "template": "Example Template", "action": "page-load", "ip_address": "8.8.8.8", "browser": "Chrome", "platform": "Windows 10", "action_date": "2024-06-25 10:32:57", "is_fail": true, "filtered": 0, "verified": 1, "pre_check": "Passed", "detections": "None" }, "enrollments": { "courses": [ { "id": "214c17b0-1576-4d2f-b5f1-6d956e0a52a9", "course_name": "Introduction to Cybersecurity", "course_id": "course-uuid-123" } ], "programs": [ { "id": "b5ac1821-c5ea-465e-bcc5-dc3c6a2d419a", "program_name": "Cybersecurity Specialist Program", "program_id": "program-id-456" } ], "third_party": [ { "course_id": "0J81qLE3wOE1", "course_name": "Advanced Ethical Hacking", "service": "Coursera" } ] } }
"Action" Property
The value of the "action" property on the "test" object varies from template to template, and can be user-defined. The list below defines some of the common action values returned by the web hook.
- Note: This is not a complete list, actions can be customized and are determined by the template being used for testing.
The value of the action property will always be a string (the value will be in double quotes).
For more information about terms used at PhishingBox, see article: Phishing Term Appendix.
Primary Actions
The following actions are the most common actions that will be reported by our templates.
- opened: The email was opened.
- page-load: The link in the email was clicked and the landing page was loaded.
- Viewed Landing Page: The landing page was refreshed or navigated to by means other than a click from the phishing email.
- Viewed Training Page: The target viewed the training page but did not complete the training materials.
- Completed Training Page Material: The button on the training page was clicked to acknowledge that it was read.
- replied: The target sent a reply to the email.
- reported: The target reported the email as phishing.
- auto-reply: The system caught an auto reply to the email.
- Performed Action: A generic action for anything done on the landing page.
Custom Actions
The following actions describe more specific actions that are determined by the template being used in the test and can be customized by the user. Any of these actions are done on the landing page and therefore should be considered a failure.
- "Clicked Completion" depending on the template, clicked completion means that the target has entered information or clicked a link.
- "Clicked Link" means that the primary Hook Link was clicked in the phishing email and the user was taken to the landing page. This action, along with Viewed Landing Page, makes up reported Clicks.
- "Created Account" the target created an account as prompted by the template.
- "Data Entered" the target entered data in some fashion as prompted by the template.
- "Data Submitted" the target entered and submitted data.
- "Download" means the target downloaded a file.
- "Downloaded Attachment" the email template has a file attached which the target then downloaded.
- "Opened Attachment" the target opened an attached file.
- "login-attempt" means the target attempted to login to a service as prompted by the template.
- "Login Complete" the target logged in to a service as prompted by the template.
- "Login Information Submitted" means the email template asked the target for login information which the target then submitted.
- "Login Submitted" means the email template asked the target for a login which the target then submitted.
- "Password Entered" the target entered a password into the template.
- "Performed Update" means the template prompted the target to start an update which the user performed.
- "Signed In" the target signed in to a website as prompted by the template.
- "started-update" the target started an update.
- "StartedDownload" - some email templates have downloads or attachments. If the target begins a download they will be flagged as having started the download.
- "Submitted" the user submitted information as prompted.
- "Submitted Form" the target submitted a form from a landing page.
- "Update Complete" the user completed an update as prompted by the template.
For a more complete list of action types that illustrates the flexibility and customization available for action types, you can download the .csv attached to this article. The csv contains all of the custom and generic action types that have been used with templates on our system.
Comments
0 comments
Please sign in to leave a comment.