Awareness Training - Managing Phishing Templates

Updated

This article contains information on creating, customizing, and managing phishing email templates, including translated and multi-stage templates, adding phishing indicators, QR codes, and deleting templates within the Awareness Training platform.

You can utilize a phishing template to simulate phishing attacks and send them to groups of users as part of a Phishing campaign.

Also See:

Custom Templates

You can customize the Phishing translated templates, which allows you to edit the template as you need it. We provide several email templates for you. 
During the editing process, you can make amendments in the left side, and see a preview of your changes on the right side.

You can view your phishing email templates by using the following steps:

  1. Log in to Mimecast Awareness Training.
  2. Navigate to Phishing Training |Template Library.
  3. Your templates are displayed, grouped into the following sections: 
    • Translated Templates.
    • My Templates.
    • Templates.
    • Landing Pages

Click on the View Email link at the end of the template's summary to display a preview of the email that will be sent as part of the phishing campaign.

 

Creating a Custom Template

If you can't find a template that meets your requirements, you can customize one of the templates and modify it to create your own custom template. All phishing templates include a predefined landing page that can be customized with text (only) in the footer. 

If you require a localized version of a template in a language that is unsupported by a campaign, create a copy of the template complete with the translated copy.

You can create a custom template by using the following steps:

  1. Log in to Mimecast Awareness Training.
  2. Navigate to Phishing Training |Template Library.
  3. Find the Template you want to edit.
  4. Click Customize.
  5. Complete the Input Editor  as below:
Field / Option Description
Language Select a language. Custom templates aren’t translated and therefore, the Email Template will need to be manually translated into your chosen language.
Template Title Enter a title for the template to enable you to identify it.
Subject  Specify the subject displayed in the email sent to users.
This field allows up to 128 characters.
From Email  Select an email address from the dropdown list. This is the sender address that users see when they receive the phishing email.

When Direct Message Injection is enabled, the From Email field in the template editor becomes an open text box, permitting full domain customization.
Display Name  Enter the display name you want the recipients to see. 
Difficulty Select the Difficulty level of out-of-the-box phishing templates.
Category  Select a category that defines the type of attack your template represents. 
Tags Add up to 100 tags. 
Email Template

Use the text editor to amend the email template. This must include:
[rawlink] to link to the Engage phishing campaign landing page. While this exists inside our platform and is not editable, you can include another embedded link to your own company website, that opens in a new window when clicked.

• [tracklink] must be located at the end of the template, to enable the phishing statistics to be captured.

This field allows up to 8192 characters.
  1. Click Save.
  2. If you want to create a multi-stage phishing template, click the Phishing Form tab.

Once a Phishing Form has been added to a template, it cannot be removed.

  1. Click Upload a logo to insert an image.
  2. Click Insert Background Image to insert and edit a background image, max file size of 2MB.
  3. Toggle the Header switch to add your text.
  4. Edit the Field Types and associated labels.
  5. Toggle the Footer switch to add your text.
  6. If required, edit the Button Label.
  7. Use the Colors option to edit the colors of the following components:
    • Button.
    • Form.
    • Background.
    • Text.
  1. Once complete, select the Email Message tab to make any final changes.
  2. Click Save.
  3. The template will be saved in the My Templates tab, where you can choose to Edit or Copy the template if desired. 
There will be an icon on the Customized template to show that the template is multi-stage.

Creating a Custom Template with Phishing Indicators

You can add phishing indicators for the Subject, From Email, and Display Name fields of any custom template using the following steps:

  1. Log in to Awareness Training.
  2. Navigate to Phishing Training | Template Library.
  3. Find the Template you want to edit.
  4. Click Customize.
  5. Complete the Input Editor.
  6. Select the specific fields you wish to add a phishing indicator to:

  1. Select an email address from the dropdown list. This is the sender address that users see when they receive the phishing email. Clicking the flag allows you to add a phishing indicator:

  1. When you add phishing indicators to any of these fields, a red flag will appear next to it, as shown below:

  1. If you wish to see which indicators you have already created, click manage:

  • In this window, you can preview the template with phishing indicators as your end users will see it, and you can edit or delete the red flags/indicators:

  • You may also add email body indicators. Highlight the text within the email that you wish to flag. Click mark indicator and populate the fields.

  1. After adding phishing indicators, click Manage to pen a preview window showing the template and indicators as your end users will see it. Here, you can also edit or delete the red flags/indicators:

  1. Click save.
  2. You can view your template in My Templates where you can edit, copy or delete them.

Phishing Indicators Examples
Category Red Flag Explanation Example(s) Source/Framework
SENDER Unexpected sender Email is from someone you were not expecting to contact you Email from "HR" about a policy update you didn't know about NIST Phish Scale, SANS, CIS
SENDER Unknown sender Sender is not recognized by you or your organization Email from "<john.doe@unknown-domain.com>" NIST Phish Scale, SANS
SENDER Sender address spoofed Sender address appears to be from your organization but is unusual Email from "<ceo@yourcompany.com>" requesting gift cards NIST Phish Scale, MITRE
SENDER Strange or suspicious domain Sender's domain is odd, misspelled, or not associated with the claimed org Email from "<support@micros0ft.com>" NIST Phish Scale, SANS
SENDER Domain spoofs popular site Domain is a weird variation of a well-known organization Email from "<security@paypa1.com>" NIST Phish Scale, SANS
SENDER Domain misspelling Domain is a misspelling of a popular website Email from "<admin@amaz0n.com>" NIST Phish Scale, SANS
SENDER Display name spoofing Display name matches a known contact but the email address does not Email from "Jane Smith <randomaddress@gmail.com>" MITRE, SANS
SENDER Compromised legitimate account Email comes from a real but compromised account Email from a known vendor but with unusual requests APWG, Recent Trends
SENDER Reply-to mismatch Reply-to address is different from the sender address Email from "<it@company.com>" with reply-to "<phish@malicious.com>" NIST Phish Scale, SANS
SUBJECT Irrelevant or mismatched subject Subject line does not match the content Subject: "Invoice Attached" but no invoice in body NIST Phish Scale, SANS
SUBJECT Unsolicited reply Subject line shows a reply to something you never sent Subject: "RE: Your Request" when you made no request NIST Phish Scale, SANS
SUBJECT Unsolicited forward Subject line shows a forward but content is not relevant Subject: "FWD: Payroll Update" but you are not in payroll NIST Phish Scale, SANS
SUBJECT Excessive urgency in subject Subject line uses urgent language Subject: "URGENT: Immediate Action Required!" NIST Phish Scale, SANS
CONTENT Generic or ambiguous salutation Uses non-personalized greetings Dear User, Dear Sir/Madam NIST Phish Scale, SANS
CONTENT Unusual request Asks for actions outside normal business process Request to purchase gift cards for a manager NIST Phish Scale, SANS
CONTENT Request for sensitive info Asks for credentials, financial, or personal data Request to verify your password or SSN NIST Phish Scale, SANS
CONTENT Unexpected attachment or link Contains attachments or links not relevant to your work Attachment labeled "Invoice" when you have no open invoices NIST Phish Scale, SANS
CONTENT Spelling/grammar errors Obvious language mistakes Misspelled words, poor grammar NIST Phish Scale, SANS
CONTENT Sense of urgency Pressures you to act quickly Do this now! Only 1 hour left! NIST Phish Scale, SANS
CONTENT Threats or negative consequences Warns of bad outcomes if you don't comply Your account will be locked if you don't respond NIST Phish Scale, SANS
CONTENT Promise of reward Offers something valuable for compliance Click here to claim your prize! NIST Phish Scale, SANS
CONTENT Shocking or emotional content Uses fear, excitement, or curiosity to prompt action Your account has been hacked! See details inside NIST Phish Scale, SANS
CONTENT Aggressive or manipulative language Uses aggressive tone to scare or coerce Failure to comply will result in disciplinary action NIST Phish Scale, SANS
CONTENT Unusual timing Sent at odd hours or outside business norms Email sent at 3am from a manager NIST Phish Scale, SANS
CONTENT Unusual format or branding Branding, logos, or formatting look off Logo is pixelated or colors are wrong NIST Phish Scale, SANS
CONTENT Unusual or out-of-context content Not typical for your role or organization Email about a process you don't handle NIST Phish Scale, SANS
CONTENT Requests to bypass procedures Asks to ignore normal security or business processes Please wire funds without manager approval NIST Phish Scale, SANS
CONTENT Requests for secrecy Asks you to keep the request confidential Do not tell anyone about this request NIST Phish Scale, SANS
ATTACHMENTS Strange or enticing attachment Attachment has an intriguing or unnecessary title Attachment named "Salary\_Increase.pdf" NIST Phish Scale, SANS
ATTACHMENTS Dangerous file extension Attachment has risky extension (.exe, .js, .scr, .bat, .zip, .iso) Attachment named "update.exe" NIST Phish Scale, SANS
ATTACHMENTS Attachment mismatch Attachment type does not match the context Invoice.docx for a payment request NIST Phish Scale, SANS
LINKS Link mismatch Displayed link does not match actual URL Text says "[www.company.com](http://www.company.com)" but link goes to "malicious.com" NIST Phish Scale, SANS
LINKS Link to unrelated or suspicious site Link points to a site unrelated to the email content Link to "bit.ly/xyz" in a payroll email NIST Phish Scale, SANS
LINKS Shortened or obfuscated link Uses URL shorteners or obfuscation Link is "tinyurl.com/abc123" NIST Phish Scale, SANS
LINKS Non-HTTPS or insecure link Link is not secure or uses HTTP Link is "<http://login.com>" NIST Phish Scale, SANS
LINKS Link to credential harvesting page Link leads to a fake login or data entry page Link to "login-microsoft.com" asking for credentials NIST Phish Scale, SANS
LINKS QR code QR codes in email could lead to phishing site. QR code phishing is becoming increasingly common.  Scan QR code to verify your account NIST Phish Scale, SANS
ADVANCED Collaboration tool phishing Phishing via Slack, Teams, or similar Fake Teams invite with malicious link Recent Trends, MITRE
ADVANCED Compromised supply chain Email from a trusted vendor or partner but with malicious intent Invoice from a real supplier but with changed payment details Recent Trends, APWG
INDUSTRY-SPECIFIC Fake transaction alerts (Finance) Claims of unauthorized transactions Email: "Suspicious activity detected on your account" Industry-Specific
INDUSTRY-SPECIFIC Health authority impersonation (Healthcare) Claims to be from hospital or health agency Email: "COVID-19 vaccine appointment" Industry-Specific
INDUSTRY-SPECIFIC Fake order/shipment notices (Retail) Order or delivery issues Email: "Order delayed, click to reschedule" Industry-Specific
INDUSTRY-SPECIFIC Fake password reset (Education) IT requests for password reset Email: "Reset your university password" Industry-Specific
INDUSTRY-SPECIFIC Agency impersonation (Government) Claims to be from government or tax authority Email: "IRS tax refund available" Industry-Specific

Adding QR-Based Phishing Translated Template

To add a QR code to the phishing template, simply type [qrcode] within the template. This placeholder automatically generates a QR code when the phishing campaign is sent out.

You can create a custom template by using the following steps:

  1. Log in to Mimecast Awareness Training.
  2. Navigate to Phishing Training |Template Library.
  3. Find the Translated Template you want to edit.
  4. Click Customize.

Use the text editor to amend the email template. This must include [qrcode] to link to the Awareness Training phishing campaign landing page.

Deleting a Custom Template

You can delete a custom template, by using the following steps:

  1. Log in to Mimecast Awareness Training.
  2. Navigate to Phishing Training |Template Library | My Templates.
  3. Click Delete to the right of the custom template you wish to remove.
  4. Click Sure? to confirm the deletion.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.