Skip navigation

Phishing Campaigns

Last Updated: November 25th, 2019


Identify applications at risk from malicious attack by launching phishing assessments directly from the Duo Admin Panel. Send a customized email to recipients selected from your enrolled Duo users. Monitor the progress of your phishing campaign with custom reports. Once you’ve identified your most vulnerable users, you can implement granular user and device-based policies, including two-factor authentication.

Phishing Tool Unavailable after January 20, 2020

Duo is discontinuing our phishing tools to focus on multi-factor authentication and device trust features and functionality. As of November 25, 2019, the Phishing feature is no longer available for new accounts or Access/Beyond edition trials.

Starting January 20, 2020, the Phishing Campaigns tool in the Duo Admin Panel will no longer be accessible. Duo Access and Duo Beyond customers will no longer be able to start new phishing campaigns from the Duo Admin Panel, nor view previous campaign information.

Additionally, when the Phishing feature is retired for all customers, admins with the Phishing Manager role may no longer log into the Admin Panel. If existing admins with the Phishing Manager role need to retain access to the Duo Admin Panel after January 20, 2020, an Owner must update those admins to assign them a different administrator role.

If you want to retain information about your existing phishing campaigns, export the information before January 20, 2020.

Paid Duo Beyond and Duo Access plans integrate Duo's free Insight phishing tool directly into the Duo Admin Panel, simplifying campaign creation and monitoring.

If any of your users do enter their login information after clicking a link in your simulated email they'll see some tips about how to identify phishing emails in the future. Don't worry! Duo Insight doesn't see, collect, or record any of your users' credentials.

Role required: Owner, Administrator, or Phishing Manager.

Start a Phishing Campaign

  1. Log in to the Duo Admin Panel and click Phishing in the left side bar. Once the "Phishing Campaigns" page loads, click the Create Campaign button.

  2. Review the four steps to campaign creation, and then click Next.

  3. Select a Duo group containing the users whom you want receiving these phishing email messages. Click Next.

    Select Target Group

    Duo users need to have email addresses present in their account details to receive the phishing emails. If no members of the selected group have associated email addresses you'll receive an error trying to continue with campaign creation. Select a different group of users with email addresses, or update the details for your users to include email addresses via directory sync, CSV import, or manual entry.

    Note that the integrated Phishing tool can't send to recipients who aren't enrolled Duo users.

  4. Choose the email domain you'd like to use for the outgoing email address in the phishing emails. Click Next.

    Select Email Domain

  5. Select the recipients for your phishing campaign, and then click Next.

    Select Recipients

  6. You'll be redirected to Duo Insight to complete campaign creation using your selected recipients.

    Redirect to Insight site

  7. Choose an application as the basis for your simulated emails, and then click Select Document Type in the lower right.

    Select Application

  8. Choose a document type for your phishing email. You'll see different template options depending on the application you selected in the previous step. Click Craft an Email after selecting a document type.

    Select Document Type

  9. We've pre-populated the phishing email "Document Title" and "Message" with example text but you can enter your own information to best identify the disguised phishing link. Click Edit Sender.

    Craft Email

  10. Enter a sender name and email address for the phishing simulation.

    Specify Sender Information

  11. Preview what your users will see if any of them follow the phishing email link and submit credentials to the Duo fake login page. You can optionally add a custom message for your users and a web link to organizational security learning resources.

    Preview Landing Page

  12. You'll need permission to run the campaign from your messaging or corporate security team. Select one of the well-known email domain administrator recipients from the list. Duo Insight sends an approval request to that address. Make sure the destination address you select can receive emails from external recipients!

    Select Application

  13. Review all your specified options and click Launch Campaign! if everything is correct. You can send yourself a test phishing email before launching the campaign by clicking the Send a test phish to... button near the top.

    Review Campaign Options

You've created your phishing campaign! Once you return to the Duo Admin Panel you'll see the new campaign in the Pending Campaigns table.

Pending Campaigns

When the administrator specified in step 11 approves the new campaign, Duo Insight emails your selected recipients.

Sample Phishing Email

Monitor the Campaign

Check in on your phishing campaign's progress from the Active Campaigns table in the Duo Admin Panel.

Active Campaigns

As your targeted users open the phishing email and take any additional actions the campaign summary information updates.

Click on the name of your phishing campaign to see more information, like the number of users who clicked the link or who entered their credentials on the Duo phishing site. You can also rename your active campaign by clicking the Rename link to the right of the current campaign name.

Campaign Summary

You'll see how many users opened the phishing email, clicked the link in the email, or entered their login credentials at the Duo phishing site. Duo also gathers information about outdated operating system versions, browsers, and browser plug-ins used to access the phishing site.

Click the User Activity tab to list all the campaign email recipients, their activity, and endpoint software information.

User Activity

Duo Insight also emails you if any of your users enter their login information in the simulated application.

Insight Update Email

Finally, click Preview Phish to view the phishing email sent to users in this campaign.

Preview Phish

Export Campaign Information

You can export the log of user actions for each campaign you launch.

  1. From the list of campaigns, click on the campaign for which you want to export information.

  2. Click the User Activity tab.

  3. Click the Export button and select CSV, JSON, or PDF format. The user activity info downloads in your chosen format.

End User Landing Page

Any user who submits their login credentials gets reassured that their information wasn't actually captured, along with guidance on how to protect themselves against real phishing attacks in the future and any other optional information you supplied when previewing the landing page. If their browser or plugins are outdates they'll also see that information on the landing page.

Phishing Landing Page for Users

Next Steps

Use the results of your phishing campaigns to identify vulnerable applications in need of strong authentication, or create policies to notify users of outdated software or block all outdated devices from accessing your network, protecting from malware and associated vulnerabilities.