Advanced Human Detection (AHD)

Overview

We use Advanced Human Detection (AHD), along with other filters, to help determine if an action was triggered by a human or caused by a bot/crawler. If AHD can determine that the action was caused by a bot or crawler, then it is considered a false positive and will be filtered out (i.e., not counted) from test results.

To view AHD results and verify or filter actions, navigate to Tests / Campaigns > Manage Tests. Once on the Manage Tests page, simply click the name of the test. Doing so will open the Test Details page. From the Test Details page, click the "Actions" tab. This will bring up the following table, where the AHD column informs the AHD status of each respective target: 

Use the links below to jump to a section:

• How it Works
• Possible Filters
• Possible AHD Fingerprints
• Possible Action Statuses
• FAQs

How AHD Works

By default, all actions are initially marked as unverified until AHD or other methods can positively determine if an action should be verified or filtered. 

When a target performs an action on a landing or training page, AHD collects information about the way the target interacts with the page. For instance, mouse usage, keyboard input, device motion, and touchscreen interaction are some of the data points collected. 

If it can be determined based on AHD that the action is not a false positive, then the action will appear as "AHD Verified" on the test. AHD fingerprint detections are applied to all actions from the matching IP and User-Agent combination.

NOTE: Opens are the most challenging action type to verify and are marked as "Unverified Counted" by default. Since AHD cannot be applied to Open actions, these actions can only be verified or filtered using Verified IPs, IP Filters features, or by an associated clicked link action.

In the example below, the email open and click link actions count against the target because mouse movement was detected on the landing page. 

Note that AHD cannot verify an email open action by collecting mouse input, but can be collected on a landing page. AHD is smart enough to see that the email open action was part of the same sequence of actions as the click link action and was therefore caused by a human. Both actions are thus verified.

If, however, an "open" cannot be identified through a matching IP and User-Agent to another action, the system will look for a previous open from Gmail or Outlook. Any "opens" found in this way will be marked as a "Matching Open."

Possible Filters

Since multiple methods are being used to verify/filter the actions for legitimacy, some filters can override each other. Any filter that has been triggered, but overrode, will have a yellow icon instead of the red icon if applied. Verified IPs will show up as a green icon in this column.

1. Bot Filter: If a bot/crawler can be positively identified, actions will trigger the bot filter.
2. IP Filter/Verified IP: IPs can be either filtered or verified depending on settings configured in Phishing Settings.
3. User-Agent Filter: User-Agents that are unlikely to have been used by a human will trigger this filter.
4. Too Quick Filter: An action that occurs too quickly after a message has been sent will trigger this filter. The default length of time is 30 seconds. It is recommended to not increase the length of time unless you have good evidence to do so.
5. Too Many Accounts Filtered: This automatic filter occurs because the action IP address in question is listed in the filters of multiple PhishingBox accounts.

Possible AHD Fingerprints

The "User Data" detection will collect any data from the Landing Page that could be stored on the Target for comparison. Any matching fields will be noted and then any collected data will be deleted (no entered data from Landing/Training pages is stored).

1. Mouse Movement Detected: Mouse movement from a Windows PC or Mac computer.
2. Mouse Click Detected: Click detected from a Windows PC or Mac computer. A bot or crawler from a windows server based machine will not trigger this human detector. 
3. Keyboard Detected: If a user enters any information into the landing page through a keyboard.
4. Touchscreen Detected: Mobile phone or tablet renders the landing page.
5. Device Motion Detected: Detects if a mobile phone or tablet moves position/rotates. 

Possible Action Statuses

The final status of an action is determined by applying all AHD fingerprints and other filters. Actions that have been verified will have a green icon and a brief description. Filtered actions will have a red icon and a brief description. Suspicious actions will have a yellow icon and description of "Suspicious." Additionally, suspicious actions will have buttons in the status column to either manually verify or filter the action.

Actions from older tests (i.e., before AHD data was available), will be marked with either "Pre AHD Counted" or "Pre AHD Filtered."

1. Action Type Verified: Any action which has been identified in the system, or by an admin, to be legitimate. 
2. AHD Verified: AHD fingerprint detected, from a IP and user agent, which is not filtered. 
3. IP Verified: Action IP is on the verified IP list in the Phishing Settings. 
4. Manual Verified: Action that was manually verified by a portal admin. 
5. Pre AHD Counted: Any action before the AHD update.
6. Unverified Counted Open: Any open that does not register to a verified Action or IP and User Agent filter. 
7. Verified Open: Any open action which comes from the same IP and User Agent as a verified Action.
8. QR Code Verified: Click was initiated through loading the QR code. Please note that QR Code actions are only verified from mobile devices. 
9. Suspicious: No bot detection or AHD fingerprints.
10. Bot Filtered: Action originated from a known Bot or Crawler.
11. Filtered: Action is filtered. 
12. IP Filtered: Action IP is the same as a filtered account or system IP. 
13. Manual Filtered: Action has been manually filtered from a portal admin.
14. Too Quick Filtered: Action has occurred within a timeframe under the Too Quick Filtered setting in Phishing Settings. 
15. User Agent Filtered: Action user agent is the same as a filtered account or system. 
16. Too Many Accounts Filtered: This automatic filter occurs because the action IP address in question is listed in the filters of multiple PhishingBox accounts.

17. When actions have the "Verify" and "Filter" buttons in the status column, this means:

    • The action IP is not in the Verified IPs or IP Filters list.
    • AHD was unable to determine if the action was from a human or bot.

    NOTE: If you encounter actions in this state, you can review the IP address and user agent to determine whether the action should be verified or filtered. If you conclude that an action should have been verified, you have the option to add the IP address to your Verified IPs list, ensuring that future actions from that IP are automatically verified. Conversely, if you determine the action should be filtered, you can add the IP address to your IP Filters list.

FAQs

How does this affect our account?

Advanced Human Detection (AHD) will be applied to all future Phishing Campaign actions. This allows us to add two new categories to these actions: verified and suspicious. Verified actions are those that can be confirmed as real through a number of tests. Suspicious (the default for all incoming actions) means that the action can not be either filtered (due to an IP Filter or confirmed bot) or verified. 99% of the time these are bots and other virus and spam detection tools scanning the email. Before AHD, all actions that were not filtered were considered to be legitimate and therefore counted as failures. However, going forward, only those actions that can be verified through AHD or Verified IPs will be counted and considered as a failure.

Does this affect past tests/campaigns?

No, past test data will remain as is. Only tests running after the AHD release date will have the new filtering algorithms applied.

Back to top