Multistage Attack Creation
Multistage Attack Creation
Overview
A multistage campaign chains multiple pages together in sequence — for example, a fake login page followed by a micro-learning module, followed by a quiz. This simulates how real attacks work: a user rarely stops after the first click. Multistage simulations test whether users will continue through multiple steps of a deception.
When to use multistage campaigns
Multistage campaigns are best suited for:
- Experienced users who have already passed standard phishing tests
- High-risk roles (finance, IT admins, executives) who are targeted by sophisticated real-world attacks
- Compliance programmes that require evidence of both simulation and training in a single workflow
- Testing depth of vulnerability — does a user just click, or do they actually submit credentials and complete a fake form?
For first-time campaigns or general awareness tests, use a standard campaign.
Prerequisites
All landing pages used in each stage must be built and saved in the Content section before you configure the campaign.
Plan your flow first:
Example A:
Fake Login Page→Awareness Content(shows user they were phished) Example B:Fake Login Page→Micro-learning Module→Knowledge QuizExample C:Urgent IT Notice→Fake Password Reset Form→"You've been phished" Page
Step-by-step configuration
Follow the same setup as a standard campaign (name, targets, template) until you reach the Stages section — this is where multistage differs.
Configure stages
- In the Stages section, use the selector to add your pre-created landing pages in order
- Click Add next stage to chain another page
- For stages that capture form data (login forms, etc.), configure how the data is stored:
- Skip Recording — don't store what users entered
- Store in Plain Text — capture data in readable form
- Encrypt and Store — capture data securely
Complete setup
- Set your campaign name — include "Multistage" for easy filtering later
- Choose your target group
- Select the phishing email template (the initial hook)
- Set the sending domain
- Schedule and launch
Reading multistage results
Multistage campaigns produce richer data than standard ones:
| Event | What it means |
|---|---|
| Clicked link | User took the initial bait |
| Reached stage 2 | User continued past the first page |
| Submitted data | User entered credentials or other information |
| Completed all stages | User went through the entire flow |
The gap between "clicked link" and "submitted data" is meaningful — it shows how many users recognised something was wrong after clicking but before submitting. That's a partial win worth tracking.
Best practices
Keep it to 3 stages maximum. Longer flows have higher drop-off rates and make it harder to interpret which stage the user stopped at.
Make each stage purposeful. Don't add stages just to add complexity — each step should either test a specific behaviour or deliver a specific piece of awareness content.
Review submitted data carefully. If users enter real passwords during a simulation, handle that data securely and remind users (through the awareness content) never to reuse passwords.
Debrief afterwards. Multistage results are a rich conversation starter with team leads — use them to discuss what made users continue through multiple steps.