Skip to content

Create a campaign

Start a new campaign to test your users with an attack simulation or enroll them in mandatory training.

You can create campaigns from existing templates. You can also customize these templates to suit your organization and your users.

To create a campaign, do as follows:

  1. Go to My Products > Phish Threat > Campaigns. See Campaign overview.
  2. Click New Campaign and enter a campaign name.
  3. Select a campaign type. See Campaign type.
  4. Select the language for the email template and training modules.
  5. Click Next.

    Get Started page.

  6. In Choose Attack, do as follows:

    1. Click Choose this attack. You can choose up to five attacks for a campaign.

      You can filter the attacks by difficulty level or by type.

    2. Click Next.

    Choose Attack page.

  7. In Choose Training, do as follows:

    1. Select a training course for users who fail the simulated attack.

      We recommend you select the Phish Threat training.

      You can filter the training course by HTML or Video type.

    2. Send reminder emails to encourage users to take training courses.

      You can set the number and frequency of the reminder emails. See Training reminder email intervals.

    3. Click Next.

    Choose Training page.

  8. In Customize, do as follows:

    1. Customize campaign elements for your organization and your users.

      The elements you can customize differ depending on the attack type and whether you're enrolling users on training courses after failing tests. See Customize.

    2. Click Next.

  9. In Enroll Users, do as follows:

    1. Select the Users or Groups to send the campaign to.


      You can't add users or groups with email addresses that use unverified domains. See Restrictions.

    2. (Optional) Turn on Auto-enroll new users to this campaign to enroll new users into this campaign as you add them to Sophos Central. See Auto-enrollment.

    3. Click Next.

    Enroll Users page.


    To manage your users and groups, see People.

  10. In Review & Schedule, do as follows:

    1. Review your selections from the previous steps.
    2. Schedule your campaign and set the Sending Increment.

      For more details about scheduling your campaigns and sending increments, see Review & Schedule.

    3. Set the passing percentage score for your users. The default passing percentage score is 80%.

      If you've chosen multiple trainings, click Next to set the passing score for each training.

    4. Click Done to save the campaign.

    Review & Schedule page.


You can only send simulated phishing emails to email addresses at domains you own. You must verify your domains with us before using them in Phish Threat campaigns.


If you're an Enterprise customer, you must add and verify your domains in each of your sub-estates.

  • When you select Enroll Users, and some users' email addresses use unverified domains, you'll see a warning message.
  • When you select Groups, and a group has a mix of verified and unverified domains in the email addresses, only the addresses with verified domains are added to the campaign. You'll see a warning message. You can verify the domains or continue with the addresses with verified domains.

Click Verify domains in the warning message to start verifying your domains. After verifying your domains, click Phish Threat to continue creating your campaign.

For more information on verifying domains, see Verify domains.