FAQs and Troubleshooting

Share

Is this article helpful?

Last updated:

Phishing Campaign Attachments Overview

Using your KnowBe4 console, you can test your users with many different attack vectors. One way you can test your users is to add attachments to your phishing tests to see whether or not your users will open them. When creating your phishing campaign, you can do this by selecting Attachments with Macros under Template Topics. For more information on creating and managing your Phishing Security Tests, visit our Create and Manage Phishing Campaigns article.

If you don't want your users to be tested with phishing emails that include attachments, you can disable specific attack vectors by clicking the Template Exclusions link in the top-right corner of System Templates in the Phishing tab. To learn more about excluding specific attachments, topics, template features, and placeholders, please visit our Phishing Templates Advanced Features Guide.

A list of all our attachment types, the different failures they record, and a brief description of what your users will experience is shown below:

Note: While these attachments can be renamed, their contents cannot be customized.
Attachment Type File Extension Failure Types Recorded User Experience
Word Document .docx Attachment Opened, Clicked The file will prompt the user to click a link in order to view the document.
Word Document with Macro .doc, .docm Attachment Opened, Macros Enabled, Clicked

The file will prompt the user to enable macros to view the content of the file. If they enable macros, they will be taken to the landing page selected on the phishing campaign or template. The macros are beaconized to "call home" to our servers in order to track that macros were enabled. The file will also prompt the user to click a link. If the user clicks the link, they will also be taken to the selected landing page.

The .docm version can be used if the .doc version is causing an additional warning prompt for your users.
PowerPoint Document .pptx Attachment Opened The file will contain steps to view the PowerPoint presentation. This attachment will not take the user to a landing page.
PowerPoint Document with Macro .pps Attachment Opened, Macros Enabled If the user clicks on content in the file, they will be prompted a second time to enable macros to view content. If they enable macros, they will be taken to the landing page selected on the phishing campaign or template. The macros are beaconized to "call home" to our servers in order to track that macros were enabled. 
Excel Document .xlsx Attachment Opened, Clicked The file will contain a prompt for the user to click a link in order to view the document. If they click the link, they'll be taken to the landing page selected on the phishing campaign or template.
Excel Document with Macro .xls, .xlsm Attachment Opened, Macros Enabled, Clicked

The file will prompt the user to enable macros to view the content of the file. If they enable macros, they will be taken to the landing page selected on the phishing campaign or template. The macros are beaconized to "call home" to our servers in order to track that macros were enabled. The file will also prompt the user to click a link. If the user clicks the link, they will also be taken to the selected landing page.

The .xlsm version can be used if the .xls version is causing an additional warning prompt for your users.
PDF .pdf Attachment Opened, Clicked Initially, the file will prompt the user to allow a connection request. If the user allows it, the attachment will be tracked as opened. Once opened, the file will prompt the user to click a link in order to view the document. If they click the link, they'll be taken to the landing page selected on the phishing campaign or template.
Zipped Word Document .zip Attachment Opened, Clicked After the file is unzipped and opened, the user will be prompted to click a link in order to view the document. If they click the link, they'll be taken to the landing page selected on the phishing campaign or template.
Zipped Word Document with Macro .zip Attachment Opened, Macros Enabled, Clicked After the file is unzipped and opened, the user will be prompted to enable macros to view the content of the file. If they enable macros, they will be taken to the landing page selected on the phishing campaign or template. The macros are beaconized to "call home" to our servers in order to track that macros were enabled. The file will also prompt the user to click a link. If the user clicks the link, they will also be taken to the selected landing page.
Zipped PowerPoint Document .zip Attachment Opened After the file is unzipped and opened, the user will be presented with steps to view the PowerPoint presentation. This attachment will not take the user to a landing page.
Zipped PowerPoint Document with Macro .zip Attachment Opened After the file is unzipped and opened, the user will be prompted to enable macros to view the content of the file. If they enable macros, they will be taken to the landing page selected on the phishing campaign or template. The macros are beaconized to "call home" to our servers in order to track that macros were enabled.
Zipped Excel Document .zip Attachment Opened, Clicked After the file is unzipped and opened, the user will be prompted to click a link in order to view the document. If they click the link, they'll be taken to the landing page selected on the phishing campaign or template.
Zipped Excel Document with Macro .zip Attachment Opened, Macros Enabled, Clicked After the file is unzipped and opened, the user will be prompted to enable macros to view the content of the file. If they enable macros, they will be taken to the landing page selected on the phishing campaign or template. The macros are beaconized to "call home" to our servers in order to track that macros were enabled. The file will also prompt the user to click a link. If the user clicks the link, they will also be taken to the selected landing page.
Zipped PDF .zip Attachment Opened, Clicked After the file is unzipped and opened, the user will be prompted to click a link in order to view the document. If they click the link, they'll be taken to the landing page selected on the phishing campaign or template.
HTML File .html Attachment Opened, Clicked After the file is downloaded and opened, the user will see a short line of text before the page automatically redirects to the landing page selected on the phishing campaign or template. 
HTML File with Link .html Attachment Opened, Clicked After downloading and opening the file, the user will be prompted to click a link. If the user clicks the link, they'll be taken to the landing page selected on the phishing campaign or template.
Note: If a user opens a Microsoft 365 attachment but does not enable editing, the attachment may not track as being opened. If a user is previewing an attachment outside of its native program, this may not be tracked as an attachment open. However, if the user clicks the link in the attachment, you may see a click failure. 

How Attachment Opens and Enabled Macros Are Tracked

Attachment opens are tracked by a small tracking image placed in the attachment, except for PDF attachments, which require the beaconized Javascript to run in order to count as an open. If that image is allowed to load, or if the user opens the file, then your console will report the attachment as being opened.

For macro attachments, the file is beaconized and will "call home" to our servers when the macro is enabled, and the enabled macro will be recorded in your phishing campaign results.

Why Attachments Might Not Show as Open

If you have conducted an attachment phishing test and you find your results to be potentially inaccurate, then the following may be occurring:

  • Your user must open the attachment in its native program for it to be tracked. If your user does not open the attachment in its native program, the opening of the attachment won’t be recorded. The native programs include Adobe for PDF attachments, Excel for XLS attachments, Word for DOC attachments, and so on.
  • If your users are only using a preview method to look at the attachment, this action may not count as an opened attachment.

How Phishing Attachment Failures Are Reported

Phishing attachment opens are tracked by a small tracking image placed in the attachment. If your users are opening phishing attachments, but their Attachment Opened failures aren't being tracked, a firewall or proxy may be blocking the connection to our KnowBe4 domains. You can view our Whitelisting Guide for further information on how to whitelist our domains.

You can optionally test whether your web filter is blocking the Attachment Opened failures by extracting the URL in the attachment. To locate the URL, open the email that contains the attachment with the URL you want to find. Once you have located the attachment, read the sections below for instructions on how to extract the URL for that attachment type.

Microsoft 365 Attachments

Microsoft 365 attachments use XML-based files. Follow the steps below to view the XML data and locate the URL.

  1. Download the Microsoft 365 attachment.
  2. You can change the file's extension to a “.zip” file by right-clicking the file and selecting Compress “File name”.
  3. Open the .zip archive, and then open the word subfolder.
  4. Open the document.xml file in a text editor.
  5. Once you have opened the document.xml file, you will see a string like the one highlighted in the text box below. This string contains the URL.

  • INCLUDEPICTURE \d "http://online-banking.kb4.io/XcmVTjaXBpZWc50X2lkPTeMxMTQ0LaNjg5jNSZjYW1wYYWXlnbl9ydW5faWQ9OTAwqODAzJmFjdGlvbj1hdHRhY2htZW50" \* MERGEFORMATINET

PDF Attachments

You can find the URL in a PDF attachment by pasting the link address in a text editor. Follow the instructions below for detailed steps to locate the URL.

  1. Download the phishing test attachment.
  2. Open the attachment using a text editor.
  3. The URL will display, as shown in the example below.

  • /Type /Action /S /JavaScript /JS (app.doc.submitForm('http://phishtest.knowbe4.com/cmVjaXBpZW50X2lkPTI3NDMwOTY5NiZjYW1wYWlnbl9ydW5faWQ9MzI2NTc5JmFjdGlvbj1hdHRhY2htZW50#FDF');)

HTML Attachments

You can find the URL in an HTML attachment by pasting the link address in a text editor. Follow the instructions below for detailed steps to locate the URL.

  1. Hover over the HTML attachment in the email.
  2. Right-click the HTML attachment, and select Copy Link Address.
  3. Open a text editor, and then paste the link into the text editor.
  4. Once you have pasted the link, you will see a string containing the URL, like in the text box below.

  • <a href="http://online-banking.kb4.io/XjayZ1cmw9aHR0cHM6y5rbm93YmU0LmNvbS9wYWdlcy9jMzk1NWIxYzQ4YQ==">Go Now</a>

Was this article helpful?

8 out of 13 found this helpful

Can't find what you're looking for?

Contact Support