Introducing Phish Threat and Phish Threat emulation with Sophos Central Part 3

The goal of the article

  • Following the article in Part 2, Part 3 will proceed with Phish Threat configuration with the third Campaings type Attachment on Sophos Central.
  • Also, you can review part 2 of the article here.

Instructions for configuring Phish Threat features on Sophos Central.

  • To use Phish Threat feature on Sophos Central, we first need to create a Sophos Central account.
  • To create Sophos Central account, you can see the instructions here.
  • After acquiring Sophos Central account, log into Sophos Central with the account you just created at
  • Next select People to add users for Phish Threat configuration.
  • Click Add> Add User.
  • The Add User table appears, fill in the name FIRST & LAST NAME and enter the email address in the EMAIL ADDRESS box.
  • Note: Email address must be a domain email address, do not use public email addresses like Gmail, Yahoo …
  • Next, let email training send to users who are not added to the Spam folder. We need to add IP addresses and domains for training to the trusted item (whilelist) on Mail Server or mail services like G- Suite, Office 365 ….
  • To obtain the IP address, log in to Sophos Central account and click Phish Threat> Setting> Sending domains and IPs.
  • Now we will see two IP addresses and a series of domains that Sophos provides for the training.
  • Next we press MY PRODUCTs> Phish Threat> Campaigns to enter the Phish Threat feature.
  • Here to do training for users we need to create Campaigns, to create Campaigns click New Campaigns.
  • We will set name for Campaigns and choose the type for Campaigns.
  • Campaigns has 4 types:
  • Phishing: Attracting targeted users to click on a link in an email.
  • Credential Harvesting: Attracting targeted users to enter login information into a fake website.
  • Attachment: Attracting targeted users to open an attachment in an email.
  • Training: Enroll the target user for mandatory training based on the selected training modules.
  • We will do the simulation of Campaigns to see how it works.
  • In this article, we will simulation Attachment Campaings type.
  • After clicking New Campaigns, we will enter the name for Campaigns as Attachment and select Attachment and then click Next.
  • Next we will select the attack pattern, in this case Sophos has provided us with a lot of attack patterns coming from famous websites like Amazon, Adobe, Apple … we just choose one of the The type of attack we want.
  • Here We will choose the type of Car Lights On and then click Next.
  • Next, we will choose the type of training for users, where Sophos also provides training types on internet threats such as Ransomeware, Keyloggers, Macro Malware …, these training types will include 1 video clip with subtitles English and record video time.
  • We can choose up to 5 training types for 1 Campaigns and those training types will be random when sent to users.
  • Here We will choose the type of Training Ransomeware and then click Next.
  • Next is the Customize section, which allows you to edit the contents of Attack Email, Reminders Email, Caught Landing, Training Landing.
  • This section contains 4 parts: Attack Email, Reminder Email, Caught Landing, Training Landing.

Attack Email.

  • In this Attack Email section, when we click, we will see the information available such as Name, Email, Email Subject. We can change it if you want.
  • Here we will simulate an email sender to come with a CV file. o In the From Name section, it will be Nguyen Van Phu.
  • In the From Email section will be
  • Here we will use additional sub-domains by checking the Use a sub-domain box on phishing ULR replacements and filling in the blank box Sophos.
  • So our email will be Attachment Filename we will fill it in as CV Phu.
  • The Email Subject section we will fill in is “Nguyen Van Phu application for IT Helpdesk position application”.
  • Next we drag the mouse down to see the contents of the email we will send, we can click Edit to edit the content sent.
  • Here we will Edit the job content as follows.

Caught Email.

  • Caught This email will contain an email with the content “This is not a real attack but it may have happened”.
  • This page will appear when users download the attachment and turn it on, the page shows the wrong purpose for users to know that this is a training and users have not passed.
  • You can edit the content of the page by clicking Edit.

Reminder Email.

  • This email is used to remind people when they have not completed the training.

Training Landing.

  • This page will display after the user clicks Go to training at Caught Email earlier.
  • This page is to inform users that they have been added to a training.
  • After modifying the Customize section click Next to go to the Enroll Users section.
  • In this section we can assign 1 or more Users or Group for training.
  • Click Next to go to Review & Schedule, in this section you can set the time for training to take place.
  • You can choose Launch at schedule time to set the timetable or select Launch immediately for the training to take place immediately after clicking Done.
  • In the Sending Increment section, help us set up this training for many people in a certain period of time.
  • For example: if you choose Send to all enroll users and at the same time, this training will be sent to all users at the same time. If you select Send 5% and select Every hour, every 1 hour the training will be sent to 5% of the total number of people selected in the Enroll User section above.
  • Pull down the Email, Training and Recipients sections to help the user check the content of the email to be sent and the selected training section along with the user name and email of the designated user.
  • Click Done to finish.
  • At this time, on Sophos Central will display the parameters of the training.
  • As we can see in Active Campaigns is the name of the Attachment training, next to 1 Emails sent, 1 email was sent.
  • Next is 0 Emails opened, this part will increase when a user opens the email.
  • At 0 users are caught, this part will increase when the user clicks on the link.
  • At 0 Finished training, this part will increase when the user completes the training.
  • Next we will go to the email account to see the email just sent.
  • Click to open the email and we will see information such as sender, email address, email subject, the same email content as we set up on Sophos Central.
  • After opening the email, we return to Sophos Central page and reload the page we will see in the Email opened section will increase by 1 because we opened the email sent.
  • Return to the email page, we will click on the attachment below to download the file to the computer and open it.
  • At this time we receive an email notification from Sophos that we have been invited to the training by downloading and opening the attachment.
  • Content is the content of Caught Email page that we have set up in Customize section.
  • The announcement page tells us “This is not a real attack but it may have happened” and we have to watch the video training and do the test by clicking Go to training.
  • Go back to Sophos Central page and reload the page, we will see the Users caught section increased by 1 by the user who clicked on the link.
  • Return to the notification page, after clicking Go to training, the website will navigate to the content page as the Training Landing page that we have set up in Customize section.
  • Click Go to training.
  • The website will navigate to a course called Ransomeware which we have set up on Sophos Central.
  • This page displays the course name is Ransomeware, course content and time.
  • To join Start Course, a video with 4 minutes time will be displayed with English subtitles and we have to watch the video to guide to the Test.
  • After watching all the videos, we will press Take Quiz to do the test.
  • Select the correct answer and click Complete Quiz to complete the training.
  • If you do not reach the required score to pass the test, you can click Reset Quiz to redo or click Back to Lesson to review the video and find the answer.
  • Note: If the user clicks Complete but not enough points to pass training, on Sophos Central finished Training is still 0, it only increases when the user has enough points to pass the test.
  • After the user fails to pass the test, we will return to the Sophos Central page, reload the page and see that the Finished training section is still 0.
  • Next we will do the test enough points to pass it.
  • Then go back to Sophos Central page, reload and we will see the number of Finished training increased 1 time, 1 person completed the training.
  • Because in this traning section only applies to 1 user, the parameters are 100% and after completing the training click on the name of the training as Phishing to see the statistics on the training and its results.
  • Finally to finish training click on End Campaign.

Be the first to comment

Leave a Reply

Your email address will not be published.