Skip to content
English
Sign in
  • There are no suggestions because the search field is empty.

Phishing - Why does Outlook Preview register as an Open in reporting?

When a user clicks on a phishing simulation email in Outlook, and the Reading Pane (Preview Pane) is enabled, Outlook automatically renders the email content. This rendering loads tracking pixels or any embedded elements that are designed to track an open event — which is how "Email Opened" is registered.
So even though the user hasn’t "actively" read the email, technically, the email has been rendered, and therefore: The system logs it as "opened."
 

:bar_chart: Metric Behavior

In The Phishing Simulator, the "Opened Email" metric is triggered by:

  • The email client loading the tracking pixel, typically a 1x1 invisible image.
  • This happens in:
    • Full email open
    • Preview pane render
    • Occasionally in mobile email apps depending on settings

:brain: Implications for Training and Reporting

  • Awareness Campaigns: You might get inflated "open" rates, especially in environments where Preview Pane is enabled by default.
  • Best Practice: When analyzing results, combine "Opened Email" with "Clicked Link", "Submitted Data", etc., to get a better idea of actual engagement.
  • You can also educate users about preview pane behavior during training — it’s a useful conversation starter about email safety!

:hammer_and_wrench: How to Reduce False Positives (Optional)

If you'd like to reduce these passive opens:
  1. Disable Reading Pane for test users via Group Policy (for Outlook)
  2. Educate users not to click into suspicious emails (even to preview)
  3. Use link-clicking or attachment-opening as stronger metrics of engagement

📌 What Each Action Means in Reporting for Outlook users:

User Action "Email Opened" "Link Clicked"
Opens email in Outlook preview pane ✅ Yes ❌ No
Opens email fully (double-click) ✅ Yes ❌ No
Clicks on a link in the email ✅ Yes ✅ Yes
Clicks attachment (if any) ✅ Yes ✅ Yes (different category if attachment)

🔍 Why?

  • “Email Opened” is tracked by a tracking pixel loaded when the email is rendered (including preview).

  • “Click” is only triggered when the user actively clicks a tracked link or attachment inside the phishing email.