All Vendors
marketing_automation

Campaign Monitor

Campaign Monitor (now part of Marigold) is an email marketing platform that relies on tracking pixels and link wrapping to monitor recipient behavior. Every email sent through Campaign Monitor embeds an invisible 1x1 pixel that reports open events and rewrites all links through Campaign Monitor's redirect infrastructure to track clicks. While this is standard practice in email marketing, Campaign Monitor's integration into the broader Marigold portfolio (which includes Sailthru, Cheetah Digital, and Selligent) raises questions about how recipient engagement data flows across the parent company's data ecosystem. The platform offers GDPR compliance tooling and HIPAA-eligible plans, but the fundamental tracking architecture means every email interaction generates behavioral data transmitted to Marigold's infrastructure.

76 IOCs
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Campaign Monitor discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Signature-only assessment pending runtime observation

Customer Impact

What This Means For You

If your organization uses Campaign Monitor to send emails, every recipient interaction generates behavioral data transmitted to Marigold's infrastructure. Open tracking pixels report when, where, and on what device a recipient reads your email. All links route through Campaign Monitor's redirect servers, meaning click behavior is captured before recipients reach your content. For organizations subject to GDPR or ePrivacy requirements, the key risk is that email tracking occurs without explicit recipient consent at the point of observation — the tracking is embedded in the email itself and fires automatically. Additionally, your recipient engagement data exists within the broader Marigold ecosystem, and the boundaries of how that data is used across Marigold's product portfolio should be clarified in your data processing agreement.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Campaign Monitor

  • Review your Campaign Monitor data processing agreement to understand how recipient engagement data is used within the broader Marigold ecosystem. Assess whether your email privacy policy adequately discloses the use of tracking pixels and link redirect tracking. For GDPR-regulated audiences, evaluate whether your lawful basis for email tracking is documented and defensible. Consider enabling Campaign Monitor's plain-text alternatives for sensitive communications where tracking is inappropriate. Audit which third-party integrations are connected to your Campaign Monitor account and what data flows to each. Monitor the impact of Apple MPP and Gmail proxying on your open rate metrics to understand how much behavioral data is still being reliably collected.

Negotiation Leverage

  • Campaign Monitor's position within the Marigold portfolio is the key leverage point. When negotiating: (1) Demand clarity on data isolation — confirm in writing whether recipient engagement data from Campaign Monitor is accessible to or shared with other Marigold products (Sailthru, Cheetah Digital, Selligent). (2) Request data processing agreement amendments that explicitly scope data usage to your Campaign Monitor instance only. (3) Negotiate data retention limits on recipient behavioral data — open/click tracking data should have defined expiration. (4) Request transparency on sub-processors, particularly any Marigold-internal data sharing that occurs at the infrastructure level. (5) For HIPAA-regulated communications, ensure the BAA covers tracking pixel and link redirect data, not just email content delivery.
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Email tracking pixels fire automatically upon message rendering with no recipient-side consent mechanism. While Apple MPP and proxy-based protections have emerged, the default tracking architecture operates without explicit recipient consent for behavioral observation.

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

76 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.campaignmonitor.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/tool-tips-for-contact-form-7/asset/js/popper.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/tool-tips-for-contact-form-7/asset/js/tippy-bundle.umd.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/themes/cm-theme/assets/js/anime.umd.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/tool-tips-for-contact-form-7/asset/js/ttfcf7_custom.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/interactive-3d-flipbook-powered-physics-engine/assets/js/client-locale-loader.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/themes/cm-theme/func_settings/banner-plugin/assets/cmg-banner.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/plugins/contact-form-7/includes/js/index.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-includes/js/dist/vendor/wp-polyfill.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-content/themes/cm-theme/assets/js/home.con.js*
Tracking script
TRACK
*www.campaignmonitor.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
www.campaignmonitor.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/interactive-3d-flipbook-powered-physics-engine/assets/js/client-locale-loader.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/tool-tips-for-contact-form-7/asset/js/popper.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/tool-tips-for-contact-form-7/asset/js/tippy-bundle.umd.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/tool-tips-for-contact-form-7/asset/js/ttfcf7_custom.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/themes/cm-theme/assets/js/anime.umd.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/themes/cm-theme/assets/js/home.con.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/contact-form-7/includes/js/index.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/themes/cm-theme/func_settings/banner-plugin/assets/cmg-banner.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-includes/js/dist/vendor/wp-polyfill.min.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js
Auto-extracted from scan
TRACK
www.campaignmonitor.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Campaign Monitor operates within the Marigold portfolio alongside Sailthru (personalization), Cheetah Digital (cross-channel engagement), Selligent (marketing automation), and Emma (email marketing). This shared ownership creates a broad data ecosystem under one parent company. Campaign Monitor integrates with Shopify, Salesforce, Facebook, WordPress, Magento, and numerous other platforms via its API and native connectors. The platform's tracking infrastructure (pixel + link redirect) is standard across the email marketing industry but generates behavioral data that flows to Marigold-controlled infrastructure. When deployed alongside other Marigold products, recipient engagement data may contribute to cross-product analytics and audience modeling.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

76 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details