Help Center › Phishing campaigns

Phishing campaigns

How to build, "launch", and read a phishing simulation — the template library, the roster, audience and cohorts, scheduling, the results dashboard, and AI-generated lures.

Simulation only — no email is sent. The simulator models recipient behavior locally so you can design and rehearse a campaign end-to-end. Live sending (a dedicated send runner + deliverability + the domain-authorization gate) is documented separately under Sending safely and is partly Deferred. Everything on this page works today and never touches the network.

1 · The template library

Open the Templates tab. You'll see a card for each of the 24 phishing templates. Every card shows:

Category — the attack type (see the table below).
Channel badge — email, sms, qr, or voice. SMS/QR/voice lures bypass email filtering and skew slightly riskier in the model.
Difficulty — easy, medium, or hard. Easier lures get clicked more.
Subject + preheader — the headline of the lure.

Template categories

Category	What it imitates
credential-harvest	Fake "verify your account / sign-in" pages to capture passwords.
invoice-bec	Business Email Compromise — a "quick favor" or payment request, often posing as an executive.
mfa-fatigue	Repeated "approve this sign-in" prompts to wear a user down.
package-delivery	"Your parcel is on hold / reschedule delivery" lures.
hr-payroll	"Update your details before the next pay run" portal lures.
oauth-consent	"An app is requesting access" — malicious OAuth consent grants.
it-helpdesk	"Mandatory IT action / security update" from a spoofed help desk.
smishing SMS	Phishing over text message.
quishing QR	Malicious QR codes ("scan to enroll/confirm").
vishing voice	Voice / callback phishing (TOAD — telephone-oriented attack delivery).

Preview a template (the teachable moment)

On any template card, click Preview.
You'll see the rendered email: the sender persona, the subject, and the body, with personalization tokens filled in (e.g. {first} → a sample first name, {org} → your org name).
Below the message is a Red-flag tells list — the specific clues that give the lure away. This is what you'd teach a user after they fall for it.
Click Use in simulator to carry the template into the compose step.

The Org name for token preview field at the top of the Templates tab controls what {org} renders as. It defaults to the active client's name.

2 · The recipient roster

The audience for every campaign comes from the active client's roster. Each person has a name, email, department, role, manager, and a new-hire flag. The roster powers the audience picker, cohort filters, the manager/learner views, and risk scoring.

The roster is per-client and isolated. When you switch clients in the MSP console, the roster, campaigns, and everything else swap to that client. A campaign you build always targets the currently active client only.

Directory sync is deferred. Today the roster is a local sample. Automatic roster import and pruning from Entra / Google / Okta / JumpCloud is a wave-next capability. You work with the sample roster (or, in a real deployment, a provided roster) for now.

3 · Build and run a campaign

Open the Simulator tab. The compose form is numbered 1–3.

1 · Compose. Pick a Template from the dropdown (pre-selected if you arrived via "Use in simulator"). Give the campaign a name.
Choose the audience. Under "Audience — departments", every department is checked by default; untick any you want to exclude. The count next to each department shows how many people are in it.
Narrow to a cohort (optional) — see the cohort table below.
Schedule a send window. Pick a date/time. (This is recorded on the campaign; in simulation it doesn't delay anything.)
2 · Preview the selected template if you want a last look at the lure and its tells.
3 · Schedule & run simulation. Watchword builds the audience, models each recipient's behavior, and creates the campaign. You'll see a toast confirming the recipient count, and the results appear in the dashboard below.

Cohorts

A cohort narrows the selected departments down to a behavioral or lifecycle group. Choose one from the Cohort dropdown:

Cohort	Who it targets
Everyone in selected depts	No extra filter — all checked departments.
New hires (onboarding)	People flagged as new hires.
High-risk (Human Risk Score ≥ 50)	People whose Human Risk Score is 50 or higher.
Repeat clickers	Anyone who clicked or submitted in any prior simulation.
Never reported a sim	People who have never reported a simulated phish.

If the department + cohort combination matches no one, you'll see "No recipients match that department + cohort selection." Widen the departments or pick a less restrictive cohort.

Per-learner subject randomization

To keep a simulation from being pattern-matchable across the office ("hey, did everyone get this exact email?"), each recipient gets a randomized subject variant drawn from a pool for that template's category. The variant is deterministic per person + template, so re-running is consistent, and the exact variant each person saw is shown in the event log. The campaign card shows how many subject variants were used.

4 · Results & metrics

Every campaign you run appears as a card in the Results dashboard (newest first). Each card shows the headline phish-prone % and a stat grid:

Metric	Meaning
Sent	How many recipients the lure was "sent" to (the audience size).
Opened	How many opened it.
Clicked	How many clicked the link / scanned the QR / answered the call.
Submitted	How many went on to enter data on the fake page. Boolean only — Watchword records only that data was entered, never the password or its value/length.
Reported	How many recognized it and reported it. Reporting is the win.
Phish-prone %	(clicked + submitted) ÷ sent. The headline risk number for the campaign. Lower is better.

What the model is doing

Because no live email is sent, Watchword generates a realistic, deterministic-per-roster event log. The likelihood that a given person opens, clicks, submits, or reports is weighted by:

Template difficulty — easy lures get clicked more.
Channel — SMS/QR/voice skew slightly riskier than email.
Role — IT staff report more and click less.
Prior Human Risk Score — riskier people are nudged toward clicking; reporters trend safer.

Per-campaign actions

Button	What it does
Event log	Opens a per-recipient table: who, department, the event (sent / open / click / submit / report), the exact subject variant they saw, and a timestamp.
Auto-enroll clickers in remedial	Assigns the remedial course (Spotting Phishing Emails) to everyone who clicked or submitted, with a 14-day due date. Idempotent — running it twice never double-assigns.
Delete	Removes the campaign from the active client.

Remedial auto-enrollment also happens automatically. When you run a campaign, clickers and submitters are immediately assigned the remedial course (14-day due window). The "Auto-enroll" button is there to re-run it or do it on demand. See Training → Assignments.

5 · AI-generated lures Pro · BYO-key

The AI content tab lets you draft a custom lure (or a training micro-lesson) with your own LLM key.

Under AI key settings, pick a provider (OpenRouter recommended; OpenAI and Anthropic also supported), paste your API key, optionally set a model, and click Save key.
Under Generate a phishing-simulation lure, fill in a theme/scenario, a target role, and a difficulty.
If you need the lure to impersonate a named brand, tick Disclosed internal exercise — otherwise the brand guard refuses named-brand impersonation.
Click Generate lure.

Your key never leaves your browser. The browser calls the AI provider directly — the key is stored only in your browser and never touches a DosanjhLabs server. We never pay for or see your inference.

Abuse fence. Generated output is post-filtered: anything that looks like a real credential-capture form, a password input, cookie/exfiltration code, or "actually steal" instructions is blocked. This keeps the AI a simulation tool, not a weapon. If a generation is blocked, rephrase your theme toward a teachable scenario.

← Getting started Next: Training →