Advanced Human Detection (AHD), along with other filters, is a method PhishingBox uses to help determine if an action was triggered by a human or caused by a bot/crawler. If AHD can determine that the action was caused by a bot or crawler, then it is considered a false positive and will be filtered out (i.e. not counted) from test results.
To view AHD results and verify or filter actions, navigate to Tests / Campaigns > Manage Tests. Click the name of the test whose actions you'd like to view on the Manage Tests table. Doing so will open the Test Details page. From the Test Details page, click the 'Actions' tab.
How it Works
By default, all actions are initially marked as Suspicious until AHD or other methods can positively determine if an action should be verified or filtered. When a target performs an action on a landing or training page, AHD collects information about the way the target interacts with the page. Mouse usage, keyboard input, device motion, and touchscreen interaction are some of the data points collected. If it can be determined based on AHD that the action is not a false positive, then the action will appear as "AHD Verified" on the test. AHD fingerprint detections are applied to all actions from the matching IP and User-Agent combination.
NOTE: Opens are the toughest action type to verify and therefore are only marked as Verified if an additional action or Verified IP can establish their legitimacy.
In the below example, the email open and click link actions counts against the target because mouse movement was detected on the landing page. Note that AHD cannot verify an email open action by collecting mouse input; however, this input can be collected on a landing page. AHD is smart enough to see that the email open action was part of the same sequence of actions as the click link action and, therefore, was caused by a human. Both actions are thus verified.
If, however, an "open" cannot be identified through a matching IP and User-Agent to another action, the system will look for a previous open from Gmail or Outlook. Any "opens" found in this way will be marked as a "Matching Open."
Since multiple methods are being used to verify/filter the actions for legitimacy, some filters can override each other. Any filter that has been triggered, but overrode, will have a yellow icon instead of the red icon if applied. Verified IPs will show up as a green icon in this column.
- Bot Filter: If a bot/crawler can be positively identified, actions will trigger the bot filter.
- IP Filter/Verified IP: IPs can be either filtered or verified depending on account settings.
- User-Agent Filter: User-Agents that are unlikely to have been used by a human will trigger this filter.
- Too Quick Filter: If an action occurs too quickly after a message has been sent will trigger this filter. The default length of time is 30 seconds. It is recommended to not increase the length of time unless you have good evidence to do so.
Possible AHD Fingerprints
The "User Data" detection will collect any data from the Landing Page that could be stored on the Target for comparison. Any matching fields will be noted and then any collected data will be deleted (no entered data from Landing/Training pages is stored).
Possible Action Statuses
The final status of an action is determined by applying all AHD fingerprints and other filters. Actions that have been verified will have a green icon and a brief description. Filtered actions will have a red icon and a brief description. Suspicious actions will have a yellow icon and description of "Suspicious." Additionally, suspicious actions will have buttons in the status column to either manually verify or filter the action.
Actions from older tests (i.e., before AHD data was available) will be marked with either "Pre AHD Counted" or "Pre AHD Filtered."
How does this affect our account?
Advanced Human Detection (AHD) will be applied to all future Phishing Campaign actions. This allows us to add two new categories to these actions: verified and suspicious. Verified actions are those that can be confirmed as real through a number of tests. Suspicious (the default for all incoming actions) means that the action can not be either filtered (due to an IP Filter or confirmed bot) or verified. 99% of the time these are bots and other virus and spam detection tools scanning the email. Before AHD, all actions that were not filtered were considered to be legitimate and therefore counted as failures. However, going forward, only those actions that can be verified through AHD or Verified IPs will be counted and considered as a failure.
Does this affect past tests/campaigns?
No, past test data will remain as is. Only tests running after the AHD release date will have the new filtering algorithms applied.