Webroot SAT question

  • 6 October 2022
  • 3 replies

Userlevel 5

Hi all, wondering if an ‘open’ in SAT is an actual open if the client is using Outlook’s preview pane. Research shows some say yes, some say only if images are allowed, some say no, one says to ignore it because only clicked links should count.


But specifically within Webroot’s Security Awareness Training, if a client is using Outlook, does ‘open’ in a campaign include people who see it in preview pane only?





Best answer by ggreenbaum 7 October 2022, 16:05

View original

3 replies

Userlevel 7
Badge +25

Hey Franco,


I’m not sure let me ping @ggreenbaum as he should know.  

Userlevel 2

Hi @franco,


The preview will indeed generate an open event in the reporting. This is known as a false positive. Dealing with false positives is an issue inherent with any SAT platform, and the resulting “alert fatigue” can be challenging. To help deal with this challenge we recommend you take a layered approach to evaluating campaign results, and do not rely solely on open events to interpret your campaign results. Depending on your email environment, even click events might require a closer look, as secure email gateways can often use bots to probe email.

To provide the additional context, you can look at the detailed event analytics in the CSV download to get a closer look at the clickstream for a particular user to trace ip addresses and event timing to evaluate validity.


Also you might find this article helpful:


We have features planned for enhanced allow logic which will extend the identification of bots, but the underlying challenge will continue to require a nuanced approach by SAT administrators.




Userlevel 7
Badge +4

@franco  I am  half paranoid person, so as a result, I do not use the preview pane at all. IF it is someone I know, then I will open it, and look at the content before  clicking on anything else. Although the answer may not be particular to your question here, but perhaps it may be something to consider.