Skip to content

Create a Phish Threat Campaign

Start a new campaign to test your users with an attack simulation or enroll them in mandatory training.

You create campaigns with an assistant that uses templates. The templates can be customized to suit your organization and your users. To create a campaign, do as follows:

  1. Go to Phish Threat > Campaigns. See Campaign overview.
  2. Click New Campaign and give the campaign a name.
  3. Select a campaign type.
  4. Select the language for the email template and training modules. See Template.
  5. Click Next.
  6. In Choose Attack select attacks from the various styles and difficulty levels available. You can choose up to five attacks for a campaign. Click Next.
  7. In Choose Training you can enroll users who fail the simulated attack on a training course.

    You can select a Sophos training course, one of your own, or no training.

  8. You can also choose to send reminder emails to make sure users take the training course. Click Next.

  9. In Customize you can tailor elements of the campaign for your organization and your users. Click Next.

    The elements you can customize differ depending on the type of attack and whether you are enrolling users on training courses after failing tests. See Customize.


    Customizations to the Reminder Email and the landing pages are set globally. They are used by all current and future campaigns in your account. There is no option to return them to their original format.

  10. Choose which Users or user Groups to send the campaign to. Click Next.

    If some users' email addresses use unverified domains, you see a warning message. Click Verify domains to start verifying your domains. See Verify domains.

    This feature might not be available for all customers yet.

  11. Click Auto-enroll new users to this campaign to enroll new users into this campaign as you add them to Sophos Central. See Auto-enrollment.

  12. Review your selections from the previous steps.
  13. Then schedule your campaign and set the Sending Increment.


    Any actions taken by users after the End Date are not factored into the campaign results.

  14. Click Done to save the campaign.

Verify domains

This feature might not be available for all customers yet.

You can only send simulated phishing emails to email addresses at domains you own. You must verify your domains with us before using them in Phish Threat campaigns.

If email addresses in Enroll Users use unverified domains, you can't select them. Click Verify domains to start verifying your domains.

After verifying your domains, click Phish Threat to continue creating your campaign.

If you have a mix of verified and unverified domains in your email addresses, you can select addresses with verified domains. You can't select the addresses with unverified domains.

If you select Groups, and a group has a mix of verified and unverified domains in the email addresses, we add the addresses with verified domains to the campaign. You see a warning message. You can verify your domains or continue with only the addresses with verified domains.

For more information on verifying domains, see Verify domains.