When sending phishing emails to targets on a Google Workspace/Gmail account, you will often not see email opens being tracked (unless the target clicked a link in the email). You may see email open actions being filtered as "Sys UserAgent Filtered", as shown below (this image was taken on the Actions tab of the Test Details page)
This is because Google first caches (i.e. stores) the images in the email on its server, automatically triggering an open action. It then displays the image from its own server when the target opens the email. The way Portal is able to log email open actions is by a receiving a request for the hidden image inside the phishing email. But, when that image has been cached by Google and is requested from there instead of from the Portal's server, we are unable to receive this request. We only get the initial open action from Google for the image. If, however, the target clicks a link in the email, then we will assume an open action and log that.
Please sign in to leave a comment.