Ignore Third Party Service IP Addresses

Allowlisting can be hard! Sometimes the best solution is to ignore it!

Overview

Phin tracks each user's performance on phishing simulation emails by tracking whether or not the user clicks on a link in the email. When the user clicks on the link they are redirected to our portal and Phin stores that the email was clicked by a user.

With advances in email monitoring and threat protection, there are now many services that can scan emails on delivery or post-delivery. As part of this scanning process, these services may examine the links in an email and attempt to load the website. This leads to Phin tracking that the email was clicked, updating the user's performance and reporting records. Phin has just generated a "false positive" or rather an incorrect data point showing the user as failing an assessment when it was not their fault.

Our current allowlisting guide aims to prevent issues like this from occurring. However, under some circumstances, services such as Microsoft Defender and other Microsoft services still take action on emails in a user's inbox. To combat this, Phin has added the ability to ignore clicks from these such services if the IP address matches one of the IP addresses linked to Microsoft, to prevent false positives in the portal.

How it works?

When the "Ignore Third Party Service IP Addresses" feature is enabled for a company, Phin will change how it tracks a click on one of our phishing simulation emails. When a phishing simulation email is clicked, Phin will note the IP address associated with the request. Phin will then compare the IP address with the list of Ignored IP Addresses (found above). If the IP address associated with the click does NOT match any in the list, Phin will track it as a real user opening and clicking on a link in the associated phishing simulation email. If the IP address associated with the click matches a record in the Ignored IP Addresses list, Phin will store a hidden false positive record for this phishing simulation sent. This false positive record will contain data associated with the event:

  • the date and time of the event
  • the IP Address associated with the event
  • the User Agent associated with the event
  • the reason the event was marked as a false positive, including which service the IP Address belongs to

These false positive records will neither count as a "click" nor impact the user's performance score. The false positive records will also neither appear in reports nor in the dashboard.

How to enable/disable?

This feature is enabled by default. In order to disable this feature, log in to Phin and navigate to the company that needs this feature turned off. Next, navigate to the company Settings page via the sidebar on the left side of the screen. Here you can disable the feature by checking the box and saving the changes.

 

Have a suggestion for how to improve this feature or anything else in Phin? Get in touch with us via our feature request board here (https://www.phinsec.io/knowledge/kb-tickets/new). Make sure to select Feature Request in the ticket type dropdown.