Phin Security

Ignore Third Party Service IP Addresses

Phin's "Ignore Third Party Service IP Addresses" feature prevents false positive phishing simulation click tracking caused by automated email scanning services (like Microsoft Defender) by identifying and excluding clicks from known third-party IP addresses, recording these as hidden false positives that do not affect user scores or reports.

Overview

Phin tracks each user's performance on phishing simulation emails by monitoring whether a user clicks on a link in the email. When a user clicks the link, they are redirected to the Phin portal, and Phin records that the email was clicked.

With advances in email monitoring and threat protection, many services now scan emails on delivery or post-delivery. These services may examine links in an email and attempt to load the website, which can result in Phin tracking a click that was not performed by the user. This creates a false positive, incorrectly showing the user as failing an assessment.

The current allowlisting guide aims to prevent such issues. However, some services, such as Microsoft Defender and other Microsoft services, may still take action on emails in a user's inbox. To address this, Phin has added the ability to ignore clicks from these services if the IP address matches one linked to Microsoft, preventing false positives in the portal.

How it works

When the "Ignore Third Party Service IP Addresses" feature is enabled for a company, Phin changes how it tracks clicks on phishing simulation emails. When a phishing simulation email is clicked, Phin notes the IP address associated with the request and compares it with the list of Ignored IP Addresses. If the IP address does not match any in the list, Phin tracks it as a real user click. If the IP address matches a record in the Ignored IP Addresses list, Phin stores a hidden false positive record for the phishing simulation sent. This record contains:

  • The date and time of the event
  • The IP address associated with the event
  • The User Agent associated with the event
  • The reason the event was marked as a false positive, including which service the IP address belongs to

These false positive records do not count as a "click" and do not impact the user's performance score. They also do not appear in reports or on the dashboard.

How to enable/disable

This feature is enabled by default. To disable it, log in to Phin and navigate to the company that needs this feature turned off. Then, go to the company Settings page via the sidebar on the left side of the screen. Here, you can disable the feature by checking the box and saving the changes.

If you have suggestions for improving this feature or anything else in Phin, you can submit them via the feature request board. Make sure to select Feature Request in the ticket type dropdown.