Skip to content

Create a Phish Threat Campaign

Start a new campaign to test your users with an attack simulation or enroll them in mandatory training.

You create campaigns with an assistant that uses templates. You can customize templates to suit your organization and your users. To create a campaign, do as follows:

  1. Go to My Products > Phish Threat > Campaigns. See Campaign overview.
  2. Click New Campaign and give the campaign a name.
  3. Select a campaign type.
  4. Select the language for the email template and training modules. See Template.
  5. Click Next.
  6. In Choose Attack, select attacks from the various styles and difficulty levels available. You can choose up to five attacks for a campaign. Click Next.
  7. In Choose Training, you can enroll users who fail the simulated attack on a training course.

    You can select a Sophos training course, one of your own, or no training.

  8. You can send reminder emails to encourage users to take training courses. You can set the number of emails and the sending frequency.

    For more details on the frequency of sending training reminder emails, see Training reminder email intervals.

  9. Click Next.

  10. In Customize, you can customize campaign elements for your organization and your users. Click Next.

    The elements you can customize differ depending on the type of attack and whether you're enrolling users on training courses after failing tests. See Customize.


    Customizations to the Reminder Email and the landing pages are set globally. All current and future campaigns in your account use them. You can't return them to their original format.


    If you want to add customized images, you can only upload PNG files.

  11. Choose which Users or user Groups to send the campaign to. Click Next.

    If some users' email addresses use unverified domains, you see a warning message. Click Verify domains to start verifying your domains. See Verify domains.

  12. Click Auto-enroll new users to this campaign to enroll new users into this campaign as you add them to Sophos Central. See Auto-enrollment.

  13. Review your selections from the previous steps.
  14. Schedule your campaign and set the Sending Increment.


    Any actions taken by users after the End Date aren't included in campaign results.

  15. Click Done to save the campaign.

Verify domains

You can only send simulated phishing emails to email addresses at domains you own. You must verify your domains with us before using them in Phish Threat campaigns.

If email addresses in Enroll Users use unverified domains, you can't select them. Click Verify domains to start verifying your domains.

After verifying your domains, click Phish Threat to continue creating your campaign.

If you have a mix of verified and unverified domains in your email addresses, you can only select addresses with verified domains. You can't select addresses with unverified domains.

If you select Groups, and a group has a mix of verified and unverified domains in the email addresses, we add the addresses with verified domains to the campaign. You see a warning message. You can verify your domains or continue with only the addresses with verified domains.

For more information on verifying domains, see Verify domains.