Whenever a target completes an action during a test, PhishingBox will send a JSON response to your webhook url. It will contain information about both the target and the test.
Example JSON response:
"group": "Accounting Department Group"
"name": "Accounting Test 1",
"sent_date": "2018-01-01 14:00:00",
"template": "Goals for Q1 2019 (Generic) - Attachment",
"action": "Viewed Landing Page",
"browser": "Mozilla Firefox",
"action_date": "2018-01-04 07:34:00",
The value of the "action" property on the "test" object varies from template to template, and can be user-defined. The list below defines some of the common action values returned by the web hook.
- Note: This is not a complete list, actions can be customized and are determined by the template being used for testing.
The value of the action property will always be a string (the value will be in double quotes).
For more information about phishing terms used at PhishingBox, see article: Phishing Term Appendix.
The following actions are the most common actions that will be reported by our templates.
- opened: The email was opened.
- page-load: The link in the email was clicked and the landing page was loaded.
- Viewed Landing Page: The training page was visited.
- Viewed Training Page means the target viewed the training page but did not complete the training materials.
- Completed Training Page Material: The button on the training page was clicked to acknowledge that it was read.
- replied: The target sent a reply to the email.
- reported: The target reported the email as phishing.
- auto-reply: The system caught an auto reply to the email.
- Performed Action: A generic action for anything done on the landing page.
The following actions describe more specific actions that are determined by the template being used in the test and can be customized by the user. Any of these actions are done on the landing page and therefore should be considered a failure.
- "Clicked Completion" depending on the template, clicked completion means that the target has entered information or clicked a link.
- "Clicked Link" means that the primary Hook Link was clicked in the phishing email and the user was taken to the landing page. This action, along with Viewed Landing Page, makes up reported Clicks.
- "Created Account" the target created an account as prompted by the template.
- "Data Entered" the target entered data in some fashion as prompted by the template.
- "Data Submitted" the target entered and submitted data.
- "Download" means the target downloaded a file.
- "Downloaded Attachment" the email template has a file attached which the target then downloaded.
- "Opened Attachment" the target opened an attached file.
- "login-attempt" means the target attempted to login to a service as prompted by the template.
- "Login Complete" the target logged in to a service as prompted by the template.
- "Login Information Submitted" means the email template asked the target for login information which the target then submitted.
- "Login Submitted" means the email template asked the target for a login which the target then submitted.
- "Password Entered" the target entered a password into the template.
- "Performed Update" means the template prompted the target to start an update which the user performed.
- "Signed In" the target signed in to a website as prompted by the template.
- "started-update" the target started an update.
- "StartedDownload" - some email templates have downloads or attachments. If the target begins a download they will be flagged as having started the download.
- "Submitted" the user submitted information as prompted.
- "Submitted Form" the target submitted a form from a landing page.
- "Update Complete" the user completed an update as prompted by the template.
For a more complete list of action types that illustrates the flexibility and customization available for action types, you can download the .csv attached to this article. The csv contains all of the custom and generic action types that have been used with templates on our system.