All Collections
PHISH
Setup
CybSafe Phishing
CybSafe Phishing

All you need to know about CybSafe's simulated phishing feature

Ben Robinson avatar
Written by Ben Robinson
Updated over a week ago

What are simulated phishing emails?

Occasionally, CybSafe may send you simulated phishing emails. They’re designed to look like real malicious emails used by cyber criminals.

These emails are not sent to try and catch you out. They’re used to help you recognise genuine malicious emails!

They’re completely harmless, but do treat them as you would any real malicious email (delete and report!).

If you’d like to know how many simulated emails you’ve successfully avoided, you can check your Progress Page.

Allowlisting Simulated Phishing Emails

To make sure our simulated phishing emails reach your users, you need to arrange for the following IP address and domain to be allowlisted in your mail servers (you may need your IT department to enable this):

IP 167.89.33.127 /cs-mail-sender.com / Simulated Phishing attacks

If you are using a mail filter, both your email solution and inbound gateway (Filter) needs to be allowlisted.

For more information about allowlisting, click here.

Phishing Campaign Settings

CybSafe gives you the ability to create phishing campaigns that target specific groups of users.

To edit campaign settings, navigate to “Phishing Settings” underneath the Settings tab on the left hand menu.

You will then see an overview page of all Phishing campaigns, both active and disabled. From here you can edit an existing campaign or create a new one.

If you wish to create a new campaign, click “Create Phishing Campaign”

You will arrive on the “Create Campaign” page as seen below:

Here you can select whether a campaign is active or not (campaigns not set to active will not send out any emails), as well as the name of the campaign.

Also customisable is the rate that emails are sent. You can set how many emails go out and the period of time they go out for.

For example you can configure CybSafe to send out 7 emails every 2 weeks or 3 emails every 4 weeks.

Once you have chosen your settings you can choose to save the campaign there and then. This will mean that everyone that is active on CybSafe (anyone who has been uploaded and not deactivated) will begin to receive phishing emails, regardless if they have logged in or been invited to CybSafe.

It will also mean that the campaign runs continuously, with it ending only when you toggle the “Active” button.

Advanced Campaign Settings

By selecting “Advanced” you have the option of customising your campaign further still:

Here you can set the Campaign period, a start and end date for when you want your campaign to run. You can also set the hours in which you want the phishing emails to go out.

Please note that currently these times are for GMT only, so adjust accordingly for your time zone.

Specific groups can also be chosen to be enrolled in a campaign. If selected then only the chosen groups will receive phishing emails.

For more information on how to set up groups check out our article on Group Management.

Finally, you have the option to turn on custom email selection. If this is turned on then you will be able to select which phishing emails you want to include in a specific campaign.

Simply select which emails to include with the checkbox and select “add to campaign”. The chosen emails will then appear on the right hand menu under “Campaign templates”.

To assist you in selecting, you are able to preview both the email itself and the simulated attack website.

Phishing Log

The Phishing Log page reveals information on simulated phishing activity. It shows when simulations were sent. It shows to whom simulations were sent. It shows simulation subject lines. And it shows if and how users responded. For further insights, you can filter emails by status.

You can filter emails by status.

Here is a full list of each status an email can have and what they mean:

  • Processed - Requests from CybSafe that have been processed.

  • Clicks - Whenever a recipient clicks one of the Click Tracked links in a CybSafe email.

  • Delivered - The accepted response generated by the recipients' mail server.

  • Opens - The response generated by a recipient opening a CybSafe email.

  • Deferred - The recipient mail server asked to stop sending CybSafe emails so fast.

  • Unsubscribe - Whenever a recipient unsubscribes from CybSafe emails.

  • Drops - Dropped emails occur when the contact on a CybSafe email is in one of our suppression groups, an email has previously bounced, or the recipient has marked CybSafe emails as spam.

  • Bounces - The receiving server could not or would not accept the email. If a recipient has previously unsubscribed from CybSafe emails, our attempt to send to them is bounced.

  • Spam Reports - Whenever a recipient marks CybSafe emails as spam and their mail server tells us about it.

Advanced Simulated Phishing Information

Tracking Simulated Phishing Emails

CybSafe phishing tracks the "opens" of an email using a unique hidden image pixel to record an open event. This however has some technical limitations:

  • It will vary amongst mail clients and configuration, but if "Automatically download external images" is disabled or blocked, then an open event is not captured.

  • Some inbound mail gateways open images automatically to scan the contents. We do implement algorithms to reduce the impact of this where possible.

We use email service SendGrid to track email opens, clicks and bounces. Our simulated phishing emails contain non-copyright brands, with non-offensive content.

The sender domain will always be cs-mail-sender.com but with a spoofed <from> address.

The tracking url will always contain https://u6197305.ct.sendgrid.net from SendGrid, where only CybSafe are authorised to use this subdomain. For secure use in an allow list, we recommend to include the subdomain: u6197305.ct.sendgrid.net

CybSafe do not send file attachments in emails.


Users may be encouraged to enter data as part of the phishing simulation. CybSafe will only capture the metadata surrounding the event, at no stage is input data recorded, analysed or retained in any way. Users who click through a phishing email are redirected to a learning page that provides information on the simulated attack and advice on how to avoid similar attacks in the future.

Triage Advice

In addition to the allow list of domains/IP addresses, CybSafe emails always contain HTML with the following signature:

<div title="cs-unique-ref:1b54b04f-80fc-47d3-b474-702167740795;">

The HTML shown in BOLD will always be present, so email triage can be automated with an HTML body search for “cs-unique-ref”.

Useful Resources

Still have any questions?

If you still have any questions, you can contact the team at support@cybsafe.com and we will be happy to answer any further concerns.

Related Articles
How to add CybSafe to your allow list
Advanced simulated phishing information
Email and phishing logs and what statuses mean
Report phishing button integration - Microsoft
Report phishing integration with CybSafe
Did this answer your question?