ATTACK Simulator Phishing Campaign is a simulated phishing test that aims to train end-users to become vigilant when checking their emails.

An issue has been reported wherein the result of ATTACK Simulator Phishing Campaign incorrectly returns a 100% click-rate, even though the customer is certain that not all of their end-users would have clicked on the test email as some employees are absent when they simulate the campaign.


1. On the Hosted Email Security (HES) console, go to Inbound Protection > Policy Objects > Keyword Expressions.


2. Create a new keyword expression for ATTACK Simulator

  1. Set Match to Any Specified.
  2. Click the Add button.
  3. Enter the following keywords/phrase:
    • ATTACK Simulator
    • This is a phishing security test from ATTACK Simulator that has been authorized by the recipient organization.
  4. Click Save.

3. Go to your policies and select Inbound Protection > Policy.

4. Choose the domain where you want to apply the policy to, and then click Add.



5. Under the Basic Information Setting, set a name for your new policy and tick Enable.


6. Under the Recipients and Senders, set the following:

  1. In the Recipients section, choose My domains and select from the available domains, then click Add.
  2. In the Senders section, choose Anyone to use any email addresses for a rule, since ATTACK Simulator uses random email addresses to send its phishing campaign emails.

7. Under the Scanning Criteria, configure the following:

  1. Click Advanced.
  2. Enable the Specified header matches checkbox.
  3. Click keyword expressions link. It will show a new window where you can select the keyword expression you created earlier.
  4. Under Specified Header Matches, select Other and type "x-ats-token".
  5. Choose the keyword expression you have created and click Add.
  6. Click Save

8. Under the Actions setting, choose the intercept action to Deliver now.


9. Review the summary of your policy. It should look similar below:




10. Make this new policy as the first rule on your list of policies in order for it to take precedence before the other policies. Click the up arrow button to move this rule to the top of your policy list.


In this case, if the keyword was matched, the email would not go through the rest of the policies and it would get delivered immediately to the end-user. No attachment, URL, or other content will be further checked by HES.