Only when a user clicks a phishing link in an attack is the OS, browser, and other detailed information provided. It would be useful to display those details (such as email client - to distinguish full client/ web/ mobile access) for anyone who opens the email (downloads and displays the hidden tracking image).

It may not be possible to gather this information without the user clicking a link in the attack, but if they are users of Sophos endpoint protection this information is likely known and available through that platform.

The reasoning is simple...While clicking a link is most certainly bad, just opening an email (downloading the images) increases the likelihood they will be phished/ spammed in the future by validating to the sender the address has a reader.

Our staff using company provided laptops have the setting to disallow automatic downloading of images in their email client, however, 20% of our staff opened the emails in our first campaign, and probably were guilty of doing so via a mobile device without such a setting by default. Knowing the cause of the opened emails will allow us to provide direct guidance to prevent staff from validating their accounts to spammers and phishers.