An observed identity opens real phishing emails delivered to the inbox, increasing exposure to credential-harvesting pages, drive‑by downloads, or embedded malware that evade upstream controls.

An observed identity receives real phishing emails that bypass filtering, indicating potential gaps in mail security and targeted exposure that warrant rapid triage and user‑focused follow‑up.

An observed identity receives real phishing emails carrying malicious payloads or weaponized attachments, creating immediate endpoint compromise risk and signaling a need for expedited containment.

An observed identity is specifically targeted in real phishing campaigns, suggesting perceived value or vulnerability and informing prioritization for protections and coaching.

An observed identity clicks links in real phishing emails, elevating the likelihood of credential theft, session token capture, or browser‑based exploitation on hostile pages.

An observed identity enables the enterprise reporting add‑in/button in their mail client, signaling readiness to escalate suspicious messages through approved detection workflows.

An observed identity reports emails they suspect are phishing or otherwise suspcious to security responders, preserving headers, attachments, and links needed for rapid investigation, contributing early signals that improve detection speed even if messages later prove benign.

An observed identity reports emails that downstream analysis or tooling also tags as suspicious, strengthening first‑line detection and aiding rapid incident triage.

An observed identity correctly reports verified phishing emails, materially improving mean‑time‑to‑detect and enabling protective actions (quarantine, blocklists, takedown).

An observed identity is first to report verified phishing emails at a time that enables automated quarantine or recall of matched emails across recipients, reducing blast radius.

An observed identity reports legitimate emails as phishing, generating false positives that can create alert fatigue and training opportunities to refine recognition skills.

An observed identity reports suspicious SMS (“smishing”) messages to security, enabling cross‑channel detection and user protection beyond email.

An observed identity replies to messages from unknown or spoofed senders, increasing risk of data disclosure, business email compromise (BEC), and follow‑on social engineering.

An observed identity forwards email content to personal or otherwise unauthorized mailboxes, circumventing governance and increasing data exfiltration and privacy risk.

An observed identity retrieves and opens attachments from emails that were quarantined or flagged, bypassing warnings and increasing the chance of executing malicious content.

An observed identity opens attachments from emails sent by unknown or unverified parties, exposing endpoints and data to malware or coercive lures.

An observed identity deletes suspected phishing emails without opening, reducing exposure windows and demonstrating protective discretion aligned to policy.

An observed identity marks legitimate security or IT notifications as junk, suppressing critical communications and potentially delaying required user actions or incident response.

An observed identity replies to emails already labeled or bannered as phishing, disregarding security cues and increasing the chance of engagement with adversaries.

An observed identity downloads attachments from messages where the display name and actual sender differ, a classic phishing trait that elevates compromise likelihood.

An observed identity creates mailbox rules that auto‑move, forward, or hide messages to bypass banners, filters, or DLP enforcement, undermining detection and auditability.

An observed identity sends messages to outdated or risky distribution lists—often including unintended externals—creating accidental data exposure and propagation risk.

An observed identity sends files from corporate mail to personal accounts, shifting sensitive data outside managed boundaries and complicating governance and eDiscovery.

An observed identity transmits passwords, one‑time codes, or other credentials in chat, enabling interception, reuse, or replay beyond approved secret‑handling channels.

An observed identity posts meeting links on public websites or forums, enabling unsolicited access, meeting bombing, or covert social engineering against participants.

An observed identity accepts file transfers or share invites from unknown external contacts, raising risk of malware delivery or data harvesting schemes.

An observed identity removes classification/sensitivity labels or banners prior to sending, weakening DLP and record‑keeping controls and increasing leakage risk.

An observed identity attempts to evade attachment blocking by renaming or re‑packaging files, indicating intentional control circumvention and elevated insider‑risk posture.

An observed identity adds unvetted or risky domains to safe‑sender lists, suppressing warnings and allowing future malicious content to reach the inbox unchallenged.

An observed identity uses “reply all” on threads that include external recipients, potentially disclosing internal content, links, or PII to unintended parties.

An observed identity removes or edits security banners or headers prior to sending, erasing context meant to inform recipients and auditors about sensitivity or risk.

An observed identity transmits sensitive or regulated content via email without appropriate protections (encryption, permitted recipients, least privilege), increasing exposure.

An observed identity places sensitive data into public or broadly accessible mail‑linked folders, enabling uncontrolled discovery, indexing, or onward sharing.

An observed identity shares sensitive information through chat channels lacking the required controls for classification, retention, or eDiscovery.

An observed identity conducts work correspondence via personal email, bypassing enterprise retention, DLP, legal hold, and access monitoring.

An observed identity references project code names or internal initiatives in public channels, aiding adversary reconnaissance and targeted social engineering.

An observed identity accepts or interacts with calendar invitations from untrusted sources, potentially enabling malicious links, conferencing fraud, or data harvesting.

An observed identity shares screens that expose confidential content to external participants during virtual meetings, creating immediate data leakage risk.

An observed identity clicks links in SMS from unknown senders ("smishing"), risking credential capture, device exploitation, or session hijacking on mobile, demonstrating susceptibility to phishing attacks.

An observed identity enables macros within untrusted documents, allowing embedded code execution and increasing endpoint compromise probability.

An observed identity accesses shortened URLs from unverified sources, obscuring destination risk signals and increasing exposure to phishing or malware.

An observed identity attempts to download external content from emails where images are blocked, signaling willingness to bypass safe‑rendering defaults and beaconing risks.

An observed identity follows redirects to destinations on unknown or low‑reputation domains, elevating exposure to exploit kits and phishing infrastructure.

An observed identity accepts shared‑file invitations that spoof trusted brands or domains, enabling malware delivery or credential harvesting via faux collaboration flows.

An observed identity clicks “unsubscribe” links in unsolicited newsletters, potentially confirming a live mailbox to spammers or redirecting to malicious infrastructure.

An observed identity opens encrypted messages from unverified senders, engaging with content that may bypass standard inspection and introduce social‑engineering risk.

An observed identity complies with SMS requests to complete or approve voice‑call MFA code challenges from unverified sources, increasing susceptibility to MFA relay or fatigue attacks.

An observed identity shares one‑time passwords or MFA codes via email or chat, enabling immediate account takeover by adversaries monitoring those channels.

An observed identity approves suspicious push or MFA prompts not initiated by themselves during real or simulated circumstances, indicating MFA fatigue or susceptibility to prompt‑bombing and other attacks and risking account compromise.

An observed identity disables or tampers with email security controls (e.g., reporting add‑ins, link/attachment rewriting, warning banners), degrading protection, visibility, and audit.