Getting started with Phishing Tests
Follow the instructions below to get started with PhishingBox. Click the heading links for video tutorials, or follow the bulleted links for more detailed instructions. Make your organization more secure starting today!
Every campaign will contain at least one target domain. In order to send emails to the domains in a campaign, the domains must be verified. You can pre-authorize a domain for all future tests by verifying the target domain. Navigate to the Manage Target Domains page. On this page you will see all domains for your targets. Click on the verify button next to a domain you wish to verify.
Enter in a email address of the user who will be verifying domains and click "Send Verification Email". After the email is received, you can verify by clicking the verification link. Once verified you can click the
"Check" button to receive the status. You can also send in a request to support with a list of domains to be pre-authorized en mass. For this use the alternative manual domain authorization form and submit to support.
In order to start testing you must first create a group and add phishing targets. Groups can be created and targets synced from various third-party platforms such as Azure AD, LDAP, or a CSV file. For more information and instructions related to groups see the following articles.
- Create / Edit Group
- Importing from CSV
- Importing from Office365/Azure AD with Microsoft Graph
- Import from LDAP
Safelisting (whitelisting) is the process of configuring your email client and security tools to allow phishing emails to reach your users. The links below contain instructions detailing safelisting methods for the most popular email clients and security tools. If your email client or security configuration is not listed, visit the safelisting section of the user guide or consult with your security tools' vendors.
- Safelisting (Whitelisting) Basics
- Microsoft Defender Advanced Delivery Policy
- Instructions for Safelisting in G Suite/Google Apps/Google Workspace
Campaigns are the primary function of the platform. You create a campaign under the "Tests/Campaigns" module, click "+ Create Campaign". There are 3 major parts to creating a campaign. The first is to select the groups you wish to test. Second select how you want the emails to be sent, by default they will be sent immediately to up to 1000 per hour till all emails are sent. Third choose the templates to be sent to the targets. Default templates will be shown under the "Template Library". To use a template as is, click "Get" on a template and then close the editor. For Detailed instructions and information related to configuring campaigns see the following articles.
The core concepts outlined above cover the basics of testing you firm's vulnerability to phishing attacks. There are many more features, including account email customization, learning management system integrations, and an Office 365 or G Suite add-in that you can use to improve your firm's email security. Consult with the user guide to learn more about all of the features we offer, or contact support with any questions or comments.