It happens all the time in Business Email Compromise (BEC) attacks: someone in the finance department gets an invoice email from what looks like a vendor they work with every day. The logo's right, the tone matches, and the amount is close enough to what they'd expect to pay. It looks like such a routine vendor email, they don't think twice about wiring money. This is the kind of email that slips past even employees who think they already know what phishing looks like.
With Security Awareness Training, the goal is to shift user behaviors so that they're constantly vigilant and monitoring for threats, regardless of how familiar or routine something may seem. One of the best ways to build vigilance against these types of threats is through phishing scenarios that are specific to your organization, which is why we are excited to introduce Custom HTML for Custom Phishing.
Custom HTML for Custom Phishing makes it easy to create highly tailored scenarios based on context specific to your organization.
Custom HTML for Custom Phishing: Get hands-on with your own risk factors
Custom HTML for Custom Phishing allows Managed SAT admins to get more hands-on and personalized with their phishing scenarios. It gives them a direct HTML editor inside the phishing scenario builder, so they can build a phishing email from scratch instead of picking from a fixed template. Teams can match the exact vendors, tools, and communication style inside their own organization, right down to logos, subject lines, and tone.
Or they can even match a real phishing scenario they've seen within their organization. But don't worry, every custom scenario is run through Huntress' link sanitization, so no one can accidentally, or maliciously, use it to phish your own people.
Early success
We have some pretty crafty partners and customers who are already seeing success with their own custom phishing scenarios.
One financial services customer built a scenario mimicking internal IT support requests, matching the exact tone their help desk uses.
A healthcare customer went a different direction, styling a fake vendor portal update imitating a supplier that its staff deals with every week
A manufacturing customer recreated an operational alert formatted to match the notices its own facilities send out.
These phishing scenarios look convincing because their teams know their own environment better than anyone else could, and in building them, they're shifting user behaviors to stay vigilant against any email they see.
Build your own, but don't skip Managed Phishing
Building your own scenarios is worth doing. It teaches learners something concrete: how targeted and specific a real phishing attempt aimed at their company could get. But it's just as important, maybe more so, to keep running Huntress Managed Phishing alongside it.
Managed Phishing scenarios are built and curated every month by our security and social engineering experts, using real-world data pulled straight from the Huntress Security Operations Center (SOC). They're convincing, effective, and, most importantly, current with what attackers are actually doing right now.
Here are the numbers to put it into perspective:
The better-performing custom HTML scenarios saw impressive click-to-compromise rates around 10% to 20%
Huntress Managed scenarios reach 25% and higher on average
Our new Deepfake Meeting Invite scenario, built around an emerging tactic already showing up in real attacks, hit a 33% click-to-compromise rate
One recent managed scenario went further: a 65% click-to-compromise rate across the hundreds of thousands of users it reached.
This Google Drive Document Invite scenario achieved a 65% click-to-compromise rate.
So while personalizing phishing scenarios based on your own environment is important, pairing them with scenarios built by our team of security experts is a no-brainer. Not only are these scenarios built from what our SOC sees on the front line, but they also expose gaps in your team's security awareness and provide learning opportunities against the threats they're most likely to see.
Start building your own custom phishing scenarios
Custom HTML for Custom Phishing is live in Huntress Managed SAT. Pair it with Managed Phishing, and your team gets both sides of the same coin: scenarios built around your specific risk, and scenarios built around what's actually happening in the wild right now.
Start your free trial to build your first custom scenario today.