Email Reporting

    Right now, we only support this reporting feature on the server side of things. While we don’t yet have actual email extensions and add ons that can be used to facilitate this reporting, as of v0.9.0 we do support email reporting via IMAP.

    When running phishing simulations, we often focus solely on how many users clicked the links and submitted their credentials to the spoofed page. However, I would argue that there’s just as much if not more value in focusing on who reported the emails to their administrator.

    Consider a simple scenario where we send out 100 simulated phishing emails. Let’s look through two possible outcomes:

    • Outcome 1 - In this outcome, only 1 user clicks the link and submits credentials. That’s great! However, no one reports the email. In this case, as an administrator our users were targeted by phishing and an attacker has a valid set of credentials, yet we don’t know anything has happened.

    Reporting suspicious emails can help prevent the impact of a phishing campaign. It’s recommended to build a culture that rewards the users who report emails. Even something small like an email to that employee and their manager thanking them for their vigilance can go a long ways. This gives positive feedback that will encourage users to report more emails in the future.

    As of v0.9.0, Gophish has the ability to check a configured mailbox via IMAP for campaign emails that have been reported. Once a campaign email is found, that result is updated to show that the user reported the email.

    Each Gophish user has the ability to configure their own IMAP settings. These settings are found under “Account Settings > Reporting Settings”.

    The most common settings you’ll need are the IMAP hostname, port, username, and password. It’s commonly the case that you’ll want to enable TLS but this is something you should confirm with your email provider.

    Advanced IMAP Settings

    After IMAP settings have been configured, you can either save them or use the “Test Settings” button to confirm that Gophish can establish an IMAP connection.

    Every email sent by Gophish contains a link pointing to the Landing Page configured for the campaign. This URL looks like this:

    The parameter specifies which recipient this link was generated for. To report an email sent by Gophish, an HTTP request needs to be made to:

    1. http://phish_server/report?rid=1234567