Searchable Header in Mail Server

Created by Antonio Ortiz, Modified on Fri, 11 Sep, 2020 at 8:35 AM by Jason Carreiro

Question

Are searchable headers found in every Phishing email?

Answer

Yes. Every Phishing message contains the following header:

X-ThreatSim-Header: http://threatsim.com/speartraining?id={GUID}
X-ThreatSim-ID: {GUID}

The GUID is the internal ID that we use to track a particular user for a particular campaign. This header is used by our plugin and for other tracking purposes. 

Some customers have wondered if having this header gives away the fact that the email is from a Phishing Campaign. Our view on this is that users who are savvy enough to look at the SMTP headers are arguably less susceptible to being phished in the first place. We have to balance creating a realistic simulation with the operational realities of running a phishing service (message tracking, troubleshooting, etc.). If the content of the email is sophisticated enough and the user is drawn in by your phish, they may not even bother to inspect the headers before clicking.