All Vendors
marketing_automation

Reachinbox

Reachinbox is a marketing_automation vendor with a VRS of 80, flagged for 5 BTI codes including session recording (C07), consent bypass (C09), and fingerprinting (C10). The email outreach platform deploys visitor intelligence while managing cold email campaigns, creating moderate signal corruption (25) but severe cost attribution exposure (90) and full legal tail risk (100).

124 IOCs3 detections100% pre-consent2 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Reachinbox discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

3 detections across 2 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Reachinbox was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Sales and marketing teams face three core risks: (1) Lead quality analytics become distorted by over-crediting email engagement, making pipeline conversion predictions unreliable. (2) Detailed cold outreach strategy including prospect targeting and messaging flows to Reachinbox infrastructure, potentially exposing competitive intelligence and sales playbooks. (3) Legal exposure from tracking cold email recipients without consent creates GDPR/CCPA liability that compliance teams cannot mitigate while maintaining campaign functionality.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Reachinbox

  • Require data processing addendum with explicit cold email tracking disclosure
  • Demand consent framework for website tracking separate from email subscription
  • Implement session recording exclusions for sensitive website interactions
  • Configure analytics to minimize exposure of outreach strategy in campaign data
  • Establish retention limits for prospect behavioral profiles

If You're Evaluating Reachinbox

  • Review legal basis for tracking cold email recipients under GDPR (likely lacks legitimate interest)
  • Verify whether prospect behavior data influences vendor product development or benchmarking
  • Test session recording scope to understand what website activity gets captured from email clicks
  • Assess data flows to third-party enrichment and analytics platforms
  • Request disclosure of secondary use of campaign data for vendor intelligence

Negotiation Leverage

  • Reachinbox deploys session recording on cold email recipients without prior consent—demand legal assessment of GDPR compliance and explicit DPA liability protection
  • Cold outreach tracking creates heightened regulatory scrutiny under GDPR legitimate interest requirements—require technical controls that separate email engagement from website behavioral tracking
  • Session recordings capture prospect research behavior that reveals your sales process—negotiate recording scope limits and data retention boundaries
  • Campaign analytics may distort lead quality assessment and pipeline forecasting—establish baseline measurement methodology for email effectiveness
  • Legal tail risk of 100% reflects consent bypass in cold outreach context—evaluate whether engagement tracking value justifies regulatory exposure or consider privacy-respecting email analytics
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Reachinbox can detect email security tools and alter tracking behavior during privacy assessments, masking production data collection scope.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Email interaction patterns and website visit behavior create prospect profiles for outreach sequence optimization.

BTI-C07Session Recording

Full session replay

Impact: Session capture records prospect website behavior after email link clicks for engagement analysis.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tracking initializes when cold email recipients click links, processing behavior without prior consent relationship.

BTI-C10Fingerprinting

Device identification

Impact: Device and browser fingerprinting creates persistent identifiers linking email recipients to website visitors.

IOC Manifest

IOC Manifest

109 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*reachinbox.ai/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*reachinbox.ai/cdn-cgi/scripts/*/cloudflare-static/email-decode.js*
Tracking script
TRACK
*reachinbox.ai/scripts/gtag.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/radix-ui-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/react-icons-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/page-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/layout-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/not-found-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/global-error-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/vendors-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/motion-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/943.*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/*.*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/637.*.js*
Tracking script
TRACK
*reachinbox.ai/scripts/hotjar.js*
Tracking script
TRACK
*reachinbox.ai/scripts/rewardful.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/(Main)/layout-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/(Main)/pricing/page-*.js*
Tracking script
TRACK
*reachinbox.ai/_next/static/chunks/app/(Main)/pricing/layout-*.js*
Tracking script
TRACK
reachinbox.ai/_next/static/chunks/webpack-8b31504bdb549b7a.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/vendors-d93c4c768d5548ee.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/main-app-dcf8a56b05b4d6e8.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/radix-ui-1a0a0559ac7e340c.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/react-icons-13af6049a3053104.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/layout-62de05a435fcc8b5.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/not-found-ee6ad4eda4fe34b9.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/global-error-32b04cd6578ec1f3.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/page-712911553a180273.js
Auto-extracted from scan
TRACK
reachinbox.ai/scripts/gtag.js
Auto-extracted from scan
TRACK
reachinbox.ai/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/motion-c38e0f7e001999e3.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/943.95873c6c8d27085a.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/3271.29e3f4df7bfdb44e.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/4946.85267ca6faacb6c1.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/2196.98cc5f8c77294e8d.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/7604.3b7b544207c10411.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/6880.db420f8a9e99372c.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/6418.169099358e21b075.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/1096.461879c911dfbe71.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/637.e47078b64560e734.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/1569.f23c21331fda0552.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/3512.ba4938fb446ce322.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/1474.e1a5f34078938fc3.js
Auto-extracted from scan
TRACK
reachinbox.ai/scripts/hotjar.js
Auto-extracted from scan
TRACK
reachinbox.ai/scripts/rewardful.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/4741.e262abffeebd6081.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/1817.fdd50ea665cc1435.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/(Main)/pricing/layout-144a03a03e704dd1.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/(Main)/layout-b9f151f0b6e6a1ba.js
Auto-extracted from scan
TRACK
reachinbox.ai/_next/static/chunks/app/(Main)/pricing/page-d32bbe769ca91a29.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Reachinbox integrates with CRM systems (Salesforce, HubSpot), email infrastructure, and sales engagement platforms. The vendor consumes prospect lists and campaign data while generating behavioral intelligence about email engagement and website visits. Integration architecture creates data flows where outreach strategy and prospect targeting patterns flow to vendor analytics infrastructure.
Loads (3)
ToltHotjarShopping Google
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

124 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details