Goal: To identify attackers actively monitoring email traffic or who have compromised an employee’s account.
Approach: Monitoring interaction with the deceptive email and analyzing attacker behavior. This element involves sending a deceptive email to employees that appears to be legitimate but contains hidden links that are only visible when the email is viewed in a specific way, such as using a particular email client or viewing the email’s source code.
Attackers who attempt to view the hidden links will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.