I’ve noticed that many email clients (even some web clients) don’t load remote content automatically which prevents the image trick from working. I’ve also noticed that Word 2013 and 2016 open in protected mode by default which also seems to prevent the tokens from alerting. Any tips or tricks for defeating these mechanisms?
You are correct. There are various permutations that react differently. All of the tokens are tricks to make the applications do things there not supposed to do really. The main 2 tips are to have tokens of different types and to in-bed webbugs that a threat might click on. The webbug if clicked on will activate. Plus have other security controls! But yes good question.