A status color doesn't depend only on the last action an employee took (for example "Credentials submitted"). It mainly indicates whether the employee is ultimately counted as vulnerable (compromised) or not.
Two employees can therefore show the same "Credentials submitted" status in two different colors:
Orange: an action was indeed detected (link clicked, or even credentials submitted), but the employee is not counted as vulnerable.
Red: the employee is counted as vulnerable / compromised.
Why isn't an employee who submitted their credentials always counted as vulnerable?
1. They reported the phishing email. This is the most common case. If an employee reports the simulated email as phishing, they are not counted as vulnerable — even if they submitted their credentials before or after reporting it. Reporting is the correct reflex we want to reward, so it takes precedence over credential submission. The employee then appears in orange.
2. The template used an MFA (two-factor) step that wasn't completed. When a phishing template includes an MFA / 2FA login step, the employee is only considered compromised if they go all the way, i.e. up to entering their 2FA code. If they stop at the password without entering the code, they are not counted as vulnerable.
💡 Good to know: the vulnerability indicator only counts employees who were tricked and who did not report the email. An employee who reports is deliberately excluded from this count, even if a click or a submission was recorded elsewhere.
How can I check what happened for a specific employee?
From the campaign, open the details of the relevant employee: you'll see a timestamped timeline of their actions (email opened, link clicked, credentials submitted, email reported). If a report appears there, that's what explains the exclusion from the vulnerability count.
Key takeaways
The color reflects the final vulnerability status, not just the last recorded action.
An employee who reports the email is never counted as vulnerable, even if they also submitted their credentials — reporting takes precedence.
With an MFA template, only the employee who enters their 2FA code is considered compromised.
"Vulnerable" count = tricked employees who did not report.