Introducing Phish Threat and Phish Threat emulation with Sophos Central Part 2

The goal of the article

  • Following the article in Part 1, Part 2 will proceed with Phish Threat configuration with the second Campaings type Credential Harvesting on Sophos Central.
  • Also, you can review part 1 of the article here.

Instructions for configuring Phish Threat features on Sophos Central.

  • To use Phish Threat feature on Sophos Central, we first need to create a Sophos Central account.
  • To create Sophos Central account, you can see the instructions here.
  • After acquiring Sophos Central account, log into Sophos Central with the account you just created at
  • Next select People to add users for Phish Threat configuration.
  • Click Add> Add User.
  • The Add User table appears, fill in the name FIRST & LAST NAME and enter the email address in the EMAIL ADDRESS box.
  • Note: Email address must be a domain email address, do not use public email addresses like Gmail, Yahoo …
  • Next, let email training send to users who are not added to the Spam folder. We need to add IP addresses and domains for training to the trusted item (whilelist) on Mail Server or mail services like G- Suite, Office 365 ….
  • To obtain the IP address, log in to Sophos Central account and click Phish Threat> Setting> Sending domains and IPs.
  • Now we will see two IP addresses and a series of domains that Sophos provides for the training.
  • Next we press MY PRODUCTs> Phish Threat> Campaigns to enter the Phish Threat feature.
  • Here to do training for users we need to create Campaigns, to create Campaigns click New Campaigns.
  • We will set name for Campaigns and choose the type for Campaigns.
  • Campaigns has 4 types:
  • Phishing: Attracting targeted users to click on a link in an email.
  • Credential Harvesting: Attracting targeted users to enter login information into a fake website.
  • Attachment: Attracting targeted users to open an attachment in an email.
  • Training: Enroll the target user for mandatory training based on the selected training modules.
  • We will do the simulation of Campaigns to see how it works.
  • In this article, we will simulation Credential Harvesting Campaings type.
  • After clicking New Campaigns, we will enter the name for Campaigns as Phishing and select Phising and then click Next.
  • Next we will select the attack pattern, in this case Sophos has provided us with a lot of attack patterns coming from famous websites like Amazon, Adobe, Apple … we just choose one of the The type of attack we want.
  • Here We will choose the type of Email Account Verification and then click Next.
  • Next, we will choose the type of training for users, where Sophos also provides training types on internet threats such as Ransomeware, Keyloggers, Macro Malware …, these training types will include 1 video clip with subtitles English and record video time.
  • We can choose up to 5 training types for 1 Campaigns and those training types will be random when sent to users.
  • Here We will choose the type of Training Credential Harvesting and then click Next.
  • Next is the Customize section, which allows you to edit the contents of Attack Email, Attack Landing, Reminders Email, Caught Landing, Training Landing.
  • This section contains 4 parts: Attack Email, Reminder Email,
    Attack Landing, Caught Landing, Training Landing.

Attack Email

  • In this Attack Email section, when we click, we will see the information available such as Name, Email, Email Subject. We can change it if you want.
  • In this section, we will form an IT department manager to send an email informing all employees about renewing the account in the company’s database according to the schedule and asking employees to log in to the account by link to verify the account.
  • In the From Name section we will set it as Nguyen Van Phu.
  • In the From Mail section we will set it as
  • Alternatively, we can use the sub-domain by checking the box to use a sub-domain on phishing URL replacements and entering the box as Sophos, then the mail account will be phu.nv123@sophos.helpdesk-tech .com.
  • Email Subject will be [IT Department] Request login to authenticate.
  • Next we drag the mouse down to see the contents of the email we will send, we can click Edit to edit the content sent.
  • The content is edited as follows:

Attack Landing.

  • This is the page that will be displayed after the user clicks on the link.

Reminder Email.

  • This is a reminder email when we have not completed the training.

Caught Landing.

  • This Caught Landing section will contain a page with the content “This is not a real attack but it may have happened”.
  • This page will appear when the user opens the email and clicks on the link, the page appears to be wrong for the user to know that this is a training and the user has not passed, so he will do the test.
  • You can edit the content of the page by clicking Edit.

Training Landing.

  • This is a page informing us that we were invited to tranining.
  • After modifying the Customize section click Next to go to the Enroll Users section.
  • In this section we can assign 1 or more Users or Group for training.
  • Click Next to go to Review & Schedule, in this section you can set the time for training to take place.
  • You can choose Launch at schedule time to set the timetable or select Launch immediately for the training to take place immediately after clicking Done.
  • In the Sending Increment section, help us set up this training for many people in a certain period of time.
  • For example: if you choose Send to all enroll users and at the same time, this training will be sent to all users at the same time. If you select Send 5% and select Every hour, every 1 hour the training will be sent to 5% of the total number of people selected in the Enroll User section above.
  • Pull down the Email, Training and Recipients sections to help the user check the content of the email to be sent and the selected training section along with the user name and email of the designated user.
  • Click Done to finish.
  • At this time, on Sophos Central will display the parameters of the training.
  • As we can see in Active Campaigns is the name of the Phishing training, next to 1 Emails sent, 1 email was sent.
  • Next is 0 Emails opened, this part will increase when a user opens the email.
  • At 0 users are caught, this part will increase when the user clicks on the link.
  • At 0 Finished training, this part will increase when the user completes the training.
  • Next we will go to the email account to see the email just sent.
  • Click to open the email, we will see information such as sender, email address, email subject, email content is the message asking to log in the account from the IT room just like we did on Sophos Central .
  • After opening the email, we return to Sophos Central page and reload the page we will see in the Email opened section will increase by 1 because we opened the email sent.
  • Go back to the email page and click on the login link and the Attack Landing page will appear and we will enter the Account and Password and click Log In
  • After entering Account and Password and clicking Log In, the browser will navigate to the same content page as Caught Landing page we set up above.
  • The announcement page tells us “This is not a real attack but it may have happened” and we have to watch the video training and do the test by clicking Go to training.
  • Go back to Sophos Central page and reload the page, we will see the Users caught section increased by 1 by the user who clicked on the link.
  • Go back to the announcement page, after clicking Go to training, the website will navigate to a course called Credential Harvesting that we have set up on Sophos Central.
  • This page displays the course name Credential Harvesting, course content and time.
  • In order to participate in Start Course, at this time, a test will show a training lesson with questions and explanations to give us more information to do the test.
  • These are questions of the training.
  • If the correct answer will have a blue mark.
  • Complete the rest.
  • After completing the training, we will press Take Quiz to do the test.
  • Choose the best answer in each sentence and click Complete Quiz to complete the training.
  • If you do not reach the required score to pass the test, you can click Reset Quiz to redo or click Back to Lesson to review the video and find the answer.
  • Note: If the user clicks Complete but not enough points to pass training, on Sophos Central finished Training is still 0, it only increases when the user has enough points to pass the test.
    After the user fails to pass the test, we will return to the Sophos Central page, reload the page and see that the Finished training section is still 0.
  • Next we will do the test enough points to pass it.
  • Then go back to Sophos Central page, reload and we will see the number of Finished training increased 1 time, 1 person completed the training.
  • Because in this traning section only applies to 1 user, the parameters are 100% and after completing the training click on the name of the training as Credential Harvesting to see the statistics on the training and its results.
  • Finally to finish training click on End Campaign.

Be the first to comment

Leave a Reply

Your email address will not be published.