Campaign Scope

The Campaign Scope section of the Impact tab shows a visualization of how the message attributes and similar messages in the investigation relate to each other, represented by nodes and connections.

An example Campaign Scope display showing how the attributes of 25 messages in the investigation relate to each other.

If the scope of a campaign is more than 100 messages, the Campaign Scope shows a visualization of the first 100 messages in the investigation, where "first" is the order that the messages arrived at and were evaluated by your Sensors.

The green hexagon node icons represent message groups. The circle node icons represent different message attributes. The number in each node represents how many of each was found in the investigation and linked to other common nodes. For example, in the above illustration, the Message Group node in the lower-right represents 1 message that has a From - Display Name that was common among 23 messages in the investigation and a Subject that was common among 2 messages in the investigation. You also see that Subject node has a 2 in it, and is has 2 connections to Message Group nodes, each representing 1 message.

Technically, the Impact tab shows a visualization of the result of a Domain Specific Language (DSL) query, which is shown below the visualization. The default DSL query is one that incorporates all of the current messages in the investigation. Phishing Response allows you to modify this DSL query and change the visualization (but if you make changes that violate the DSL syntax, an error could occur). In this topic, when "investigation" is referred to, it actually means the result of the DSL query, which, unless you modify the DSL query, is functionally equivalent to the investigation.

The following table explains the visualization icons in more detail.

Icon Name Description
Message Nodes
Message Group Each of these icons represents a unique subject and from domain combination. The number indicates how many messages in the investigation have the same subject and from domain combination. For investigations with multiple messages, you'll often see many of these because attackers are trying to disguise their attack message origin.
Attribute Nodes
Attribute nodes are rendered in the Impact view only for attributes that are shared by two or more Message Group nodes. The number in an attribute node represents the number of messages in the linked message groups that share the attribute.
From - Display Name Each of these icons represents a unique From - Display Name. The number indicates how many messages in the linked message groups in the investigation have the From - Display Name. For investigations with multiple messages, you'll often not only see fewer of these, but the ones you'll see are often attackers' attempts to appear innocuous.
Attachment Each of these icons represents a unique attachment found in the investigation. The number indicates how many messages in the linked message groups in the investigation contain the attachment.
URL Each of these icons represents a unique URL found in the investigation. The number indicates how many messages in the linked message groups in the investigation contain the URL.
Domains Each of these icons represents a unique domain name found in the investigation. The number indicates how many messages in the linked message groups in the investigation contain the domain name.
Reply-To Each of these icons represents the number of messages in the linked message groups that have the same content in the Reply-To field.
Subject Each of these icons represents the number of messages in the linked message groups that have the same subject line. Subject lines are case-insensitive, so "Payment received" and "payment received" would be considered the same subject line and be represented by the same icon.
IP Address Each of these icons represents a unique IP address or a group of IP addresses related to the same DNS Pointer (PTR) record. The number indicates how many messages in the linked message groups in the investigation contain the IP address.
Message ID Each of these icons represents a unique Message ID, which is the Message ID header value. Message IDs are globally unique, that is, messages should never have the same Message ID. The number of these you see in the Impact visualization will depend on how the messages were sent. For example, a single message sent to many recipients would be identified by one Message ID. Messages sent specifically separately will each have unique messages IDs. In either of these cases, messages could be related to one campaign, and Phishing Response would collect them into a single investigation.
Mail From Each of these icons represents the number of messages in the linked message groups that have the same content in the Mail-From field. The Mail-From field is also known as SMTP Envelope From.

The lines between the icons represent relationships. For example, in the above illustration, 3 lines emanate from the attachment icon to 3 message group icons. That tells you that only those messages contained the attachment represented by this node icon.

When you hover your cursor over an icon, a pop-up will give some basic details about what that icon represents.

While in general, the message group icons are arranged around the attribute icons, you can move the icons around to better view specific relationships. For example, moving the icons so that the attachment icon is isolated makes it clearer that it is related to only 3 message groups.

The above example Campaign Scope with some of the icons rearranged (by dragging) to isolate the attachments icon.

Refresh the browser page to return the icons to their original positions.

Message Count in Impact View

At times, you may see a different number of messages in the Impact view (The Campaign Scope) than in the investigation card.

A message count comparison between the investigation card and the Impact view.

This is because Agari keeps only the most recent 60 days of the data about the messages in a campaign necessary to render this view. But some of the messages in a malicious campaign might be older than 60 days, and Phishing Response keeps continuous track of the number of messages that are or have been associated with a single campaign.

You may also see numbers in the attribute nodes that don't add up to the total message count, as in this example:

There are 100 messages in this investigation, but the number in the Subject attribute is 32.

In this example, there are 32 identical Subject attributes shared among 2 message groups, one with 26 messages and one with 6 messages. Remember that a message group icon represents a group of messages with the same subject and from domain combination. So what we can infer from this is that while 32 messages have the same subject, 26 of those messages have one identical from domain and 6 of those messages have a different identical from domain.

Also, there are no other attribute icons representing message Subject. So in this threat campaign, 68 message Subjects would not be shared by any other messages, and those non-shared Subjects are not represented by icons in this visualization.

Note that there is just a single From - Display Name attribute icon as well, but its number is 100. That would mean that this attribute is common across all messages in the investigation.