Hi Everyone,

We are pleased to announce the General Availability (GA) for Sophos Phish Threat Domain Verification process.

Previously, there was no check in place to prevent customers from adding external users who are not in their domain to simulated attack or training in Phish Threat. As a result, customers could inadvertently create a campaign or series that included external recipients. This resulted in unintended results for both the customers and Sophos.

With the new Domain Verification enhancement, customers will be required to verify ownership of their domains before they add users to campaigns or series. If you have a mix of verified and unverified domains in your email addresses, you can select addresses with verified domains. You will not be allowed to select the addresses with unverified domains. This will not impact any existing campaigns, draft campaigns, or series (until these are modified).


We request all customers to verify ownership of all the domains/mailboxes they are targeting in their simulated attack campaigns/trainings. Customer admins will be reminded of this check when they configure or update a campaign.


Thank you.