Weak Network Egress Detection

Created by Antonio Ortiz, Modified on Fri, 11 Sep 2020 at 08:28 AM by Jason Carreiro


What is Weak Network Egress Detection in my Phishing campaign mean?


Our Phishing program allows you to check the permissiveness of your user network(s). This check is completed when a user clicks on a campaign link, or opens an attachment from one of our attachment campaigns. This check can also be performed on the email open when the weak network egress option is selected during campaign creation. By default, the network egress -- email opened check is disabled by default. The reason weak network egress detection is disabled by default, is due to known Microsoft Outlook bugs which may cause instability; specifically, remote images located on inaccessible ports (due to firewall or other security rules). This ultimately can cause instability when users attempt to forward an email containing these images.

Within every Phishing email that your user receives, we embed a hidden, transparent, 1x1 pixel .gif image at one of our URLs. When the user's email client retrieves the image from our server, we mark the user as having opened the email message. When the weak network egress toggle is checked, we will include a secondary hidden 1x1 pixel that is hosted on port 49152. This pixel is referred to as the alt_pixel.

If this image is accessed by a user, they are marked as having clicked from a network with weak egress controls. This simply means that the network is allowing the connection to a non-standard port. Typically within corporate firewalls we would see this port blocked, or otherwise be inaccessible. Whereas if a user clicks from home, it would be very likely to see this connection.

Enabling Weak Network Egress Detection

The weak network egress toggle can be found on the campaign creation screens for all campaign types. This toggle will be unchecked by default, meaning no alt_pixel is included in the campaign emails. However, if the toggle is checked, an alt_pixel will be included in all emails sent within a campaign.


Weak Network Egress Reporting

Within the user tab on the campaign details screen you will see the Weak Egress metric as a yes/no metric. In the instance below, the user opened the email from a network that allowed the connection to retrieve the alt_pixel. If the network had blocked this connection, No would be displayed under the Weak Egress header.