Question

How are external and internal IP Addresses of users recorded within Phishing campaign reporting?

Answer

Proofpoint records the user's public IP address because this IP address is presented to the Phishing Simulation servers when the user opens their campaign email or clicks on a link. The IP address we record is based upon how a customer’s network is configured. For example, if your organization has a single public IP address that all users access the internet from, all of the user activity (clicks and opens) will appear from that single IP address.

To obtain the user's internal IP address, Proofpoint (or any website) would need to execute code on the user's device (.exe, Java applet, ActiveX, etc.);  all of which are invasive. This limitation is due to security controls that are present in all web browsers. These browser security controls prevent websites from detecting the user's IP address, MAC address, user name, and other sensitive information.