Overview
To view test details, first go to the Manage Tests page (Tests/Campaigns > Manage Tests). You can then get to test details page in one of three ways:
- Clicking on the name of the test.
- Clicking on the View button in the Actions column.
- Clicking the drop-down in the Actions column and choosing View Details.
The test details page should look similar to the below screen:
Read about each of these sections by following one of the below links.
- Emails Summary
- Pass/Fail Summary, Actions Summary, and IP Map
- Test Details
- Emails
- Actions
- IPs
- Templates
Emails Summary
From top-left to top-right is the number of delivered emails (green), opened emails (purple), clicked links in emails (yellow), data extended (red), received training (light blue), and reported phishing (dark blue) (read more about these terms in this article).
Pass/Fail Summary, Actions Summary, and IP Map
The Pass/Fail Summary tab provides a high-level overview of user performance in a phishing test by tracking the outcome for each recipient. The main pie chart displays the distribution of email statuses such as Passed, Failed, and Bounced. A pass indicates that the recipient did not engage with the phishing content in a risky way, while a fail means the recipient performed a tracked failure action like clicking a link or submitting data. Bounced emails represent undeliverable messages.
Alongside the chart, the Net Reporter Score (NRS) is a metric used by PhishingBox to measure the group's/campaign's/test's/individual target's susceptibility to a phishing attack at a glance. NRS is computed every time an action is taken on an email or landing page during a phishing test..
On the right, you’ll find a breakdown of target behavior, including how many users only failed, how many reported and failed, and how many did not respond.
The Actions Summary tab provides a visual breakdown of how users interacted with a phishing simulation, highlighting the most severe action taken by each participant. The left chart categorizes user's most severe actions into four tiers, ranked by severity: No Action, Opened, Clicked, and Data Extended. If a user performed multiple failing actions (e.g., both clicked and submitted data), they are only counted once in this chart based on their worst action. This ensures that each target’s highest-risk behavior is what contributes to the overall statistics.
The right-hand chart shows how actions were filtered, including how many were flagged as neutral (such as opens) versus filtered as failed actions. This summary helps identify the overall risk exposure from a campaign by emphasizing the most critical user actions.
The IP Map tab plots the IP addresses of actions. You can zoom in/out on the map. This map also has the option of being opened in full screen, printed, or downloaded. Additionally, you can open the map in Highcharts Cloud.
Test Details
The test details section describes the test settings. It shows the test type (phishing or training), test name, campaign name (if clicked, you will be taken to the Campaign Details page), group name, test UUID, number of targets, number of scheduled/delivered/unsent/bounced emails, sending errors, templates used, webhook URL, auto-enroll, pass/fail notifications, start and end date/time, status (In Progress, Scheduled, Completed, etc.), metrics status, and the last time the metrics were updated.
At the bottom, you have the options to go back to the previous page or view an Executive Report of the test data by clicking on the Acrobat icon.
To the right of the Test Details tab is the Sending Details tab. This shows number of scheduled, delivered, unsent, bounced, and emails that were not sent due to an error.
If the test has auto-enroll configured, then there will be a Course Details tab to the right of the Test Details tab. The Course Details tab will show which course(s) targets will be enrolled into on certain fail action types.
Emails
The bottom part of the Test Details page provides detailed data about the emails sent to each target in the test. It shows whether the metrics are current and when the metrics were ran on that email, the associated target name, email address, sub group, department, number of emails delivered/opened, number of times links were clicked in the email, data extended, training received, and whether the target reported the email as phishing (read more about these terms in this article).
In addition, a "Send Training Page Link" button is available, which provides a way to copy the link to the training page or send a system email to the target that contains the training page link. Note that following this link to the training page will trigger a click link action for phishing emails, and this only applies to campaigns that use training pages. Further note that the test must be active and the template sent to the target must have a training page for this option to be available.
To the right of the email details is a drop-down containing three buttons: Log Report Action (which will cause the email to that target to show up as reported on the test; if a report action has already been logged, then this button will be Unlog Report Action), View Target Details (which will take you to the target details page for that target), and Generate Target Report (which will generate an Individual Target Report on that target).
Above the list of emails are three more icon buttons: Copy, CSV, Excel, and PDF. The Copy button will copy the email's data to your clipboard. The CSV, Excel, and PDF buttons will each download/open the data as CSV, Excel, or PDF files.
Actions
The Actions tab shows a breakdown by action for the test. It shows the email associated with the action, the date/time of the action, the action type (Email Opened, Reported, etc.), the IP address associated with the action, a breakdown of user-agent information, any filters applied to the action, AHD fingerprints, and current status. You can mass select actions from this tab and manually verify them.
By default, only actions that are Verified (or simply counted for older tests) will show. You can view Suspicious, Filtered, or All actions by using the select box at the top of the tab. Additionally, you can choose to show or hide various columns by using the "Column Visibility" dropdown at the top of the tab.
You can manually verify/filter actions by using the buttons in the Status column or the links in the dropdown menu. A modal will open that will allow you to select additional actions based on matching Campaign/IP/User-Agent combinations. Additionally, you can choose to create a corresponding IP Filter or Verified IP based on the same conditions. From the dropdown menu, you can also choose to delete an action. WARNING: Deleting an action cannot be undone!
To get a deeper understanding of how AHD works, take a look at the article here Advanced Human Detection (AHD).
IPs
This section shows detailed information about the IP address from which the test actions originated. It shows the number of actions associated with each IP address, as well as the location, latitudinal and longitudinal location of the IP address, and its filter. You may copy the IP data to your clipboard by clicking on the Copy icon button. You can download or open the IP data as a CSV, Excel, or PDF file by clicking the appropriate button. The far-right column tells whether or not the IP is filtered out from the counts and why, if it is (usually this will be blank). In the image below, the first action was filtered out because it was an action caused by Microsoft.
Templates
The templates section shows an overview of the templates used in the test. It shows the number of tests that the template was used in, the number of emails using each template, the percentage opened and failed, and the number of times that the template was reported as phishing. Clicking the magnifying glass will take you to the template. You may copy the template data to your clipboard by clicking on the Copy icon button. You can download or open the template data as a CSV, Excel, or PDF file by clicking the appropriate button.