[Campaign] Set up a randomized phishing campaigns

Use this guide to create and launch a randomized phishing campaign in Guardey. In a randomized campaign, Guardey sends phishing emails at random moments within a defined sending window. This makes the campaign less predictable.

Note: The phishing module is only available for Phishing Only and Advanced plans.

Access the phishing module

1. Sign in to the admin portal.
2. In the menu, open Phishing.

Create a new campaign

1. In Phishing, click Create new campaign.
2. Choose Randomized campaign.
3. Follow the on-screen steps to configure the campaign.

Name your campaign first

1. Enter a clear campaign name.
2. Add a short description so you can recognize the campaign later.

Complete whitelisting before you continue

Before you launch your campaign, make sure your email environment is ready to receive simulation emails.

1. Complete the correct whitelisting guide for your email platform.
2. If you use additional email security tools, whitelist the same domains and IP addresses there as well.

ℹ️ Randomized campaigns often use a selection of multiple templates. For that reason, we recommend whitelisting all relevant domains, so deliverability does not depend on a single template or domain configuration.

Next step

• [Deliverability] Whitelisting overview: what to whitelist for email delivery
• [Deliverability] Whitelisting Microsoft 365
• [Deliverability] Whitelisting Google Workspace

ℹ️ Without whitelisting, emails can be blocked, quarantined, or scanned automatically. This can also cause unexpected “opens” or “clicks” in reporting.

Choose one or more phishing templates

1. Browse the available templates.
2. Use the filters to quickly build the right selection:
   • Language
   • Level
   • Label
3. Select one or more templates that match your goal and audience.

Customize templates per language

If you want to make changes, you can customize templates per language, so the content matches users with different language settings.

Good to know about language

Guardey uses the user’s language preference. If a template is not available in the user’s language, Guardey sends the English version.

Next step

• [Template] Choose templates: best practices
• [Template] Customize templates

Choose the target domain

1. Select the domain or domains you want to run this campaign against.

These are the domains your recipients use (for example, company.com). Guardey uses this selection to ensure the campaign matches the domain(s) where you configured whitelisting.

• You can select one or multiple domains.
• Make sure whitelisting is configured for every domain you select to avoid delivery issues.

ℹ️ Guardey only shows domains that exist in your Guardey user base. If a domain is missing, add users with email addresses on that domain first.

Set the sending window and frequency

1. Choose a start date and end date for your campaign (the sending window).
2. Set how many phishing emails each user should receive within this window.

ℹ️ The number of emails per user cannot be higher than the number of selected templates. Guardey does not send duplicate templates within the same campaign.

Good to know about sending moments

• Guardey sends emails at random moments within the sending window.
• Saturday and Sunday are excluded. No emails are sent on these days.

Select the target audience

1. Choose who should receive the phishing emails:
   • individual users
   • groups
   • the entire organization
2. Double-check that your selection matches your objective.

ℹ️ Group targeting is the easiest way to control scope and avoid sending tests to the wrong audience.

Test deliverability

Sending a test email from a randomized campaign is often difficult in practice, because you can only schedule the campaign starting from the next day.

For that reason, we recommend testing deliverability first with a one-time phishing campaign (for example, to yourself or a small test group). Once delivery works as expected, you can set up your randomized campaign.

Next step

• [Campaign] Set up a one-time phishing campaign

Launch the campaign

1. Review your settings:
   • campaign name
   • template selection
   • target domain(s)
   • sending window and emails per user
   • target audience
2. When everything looks correct, click Launch campaign.

Cancel a campaign

You cannot pause or edit a randomized campaign after you create it. If you want to stop the campaign, you can archive it. Archiving cancels the campaign.

Monitor campaign progress

After launch, open the campaign to view progress and results.

1. In Phishing, open the campaign.
2. Review key metrics such as sent, opened, clicked, and reported.

ℹ️ Guardey currently pulls results twice per day. This may cause a delay between user activity and what you see in the campaign.

Next step

• [Reporting] Phishing reporting explained: email sent, opened, link clicked, submitted data
• [Troubleshooting] Why do I see clicks when nobody clicked?