Question

What does Email Opened mean in the phishing reports?

Answer

Email Opened means the tracking image in the body of the email that was sent to the end user was loaded. The tracking image is a transparent 1x1 .gif pixel located in the body of the email. The URL to a tracking image is unique for each user within each campaign. The URL to the image contains the landing domain that was selected in the phishing template along with the user GUID. The user GUID is a unique string the identifies a user within a campaign. You can find the user GUID in the  Export Data to CSV report.

http://landing-domain/pixel_user-GUID.gif
http://www.securebankingsevices.com/...8dad9f8c0e.gif

When a tracking image is loaded one could infer that the user has viewed the email message in his/her email client, however in some cases ATP and proxy services may sandbox and/or cache the tracking image leading to false positives.  Also, Email Opened may not always work based on how the user's email client is configured. For example, Microsoft Outlook and Lotus Notes traditionally are configured by default to restrict access to remote images so a user may actually have viewed the email but since the image is blocked it does not show in the reports. See the example below.

If the user chooses to allow remote images, the user is then marked as having opened the email.

Again, the ability for us to detect this depends on the user's email client configuration. Apple (iOS) devices fetch remote images by default, for example.

The only other way we might measure an Email Opened would be if the user failed the Campaign. We assume they opened the email in order to fail, and this can be identified when you see open event timestamp as the same time as the failure.

See more here: Email Open Timestamps Same as Click Timestamps