New Features and Updates from GoPhish for Security Awareness Training


GoPhish is an easy-to-use and affordable phishing simulator you can add to your phishing training program. Unlike some other popular phishing simulators, GoPhish is regularly updated with new features. In this article, we will go over some of the most notable new features since version 0.9.0.

New Features

  • Added Trusted Origins to CSRF Handler GoPhish now allows modifying trusted_origins in the config.json file. This allows you to add addresses that you expect from incoming connections. This is helpful when an upstream load balancer handles TLS termination instead of the application itself.


  • Introduced attachment tracking by adding GoPhish variables into various file types that can be attached to emails. For example, it is now possible to include “Hello {{.FirstName}}, please click here: {{.URL}}” in a Word document or add tracking pixels to documents. This will now notify when users open attached files or enable macros in Office documents. GoPhish supports the following file extensions: docx, docm, pptx, xlsx, xlsm, txt, html, and ics.


  • Added the ability to specify an envelope sender in templates. If left empty, it will fall back to the SMTP-From in the Sender-settings. This can be used to pass SPF-checks but still send a spoofing email.


  • Implemented a basic password policy for administrators and removed the default password “gophish”. Instead, an initial password is now randomly generated and displayed in the terminal when launching Gophish for the first time. If necessary, the initial password and API key can be overridden using environment variables.


  • Added support for webhooks. By configuring a webhook, Gophish can now send HTTP requests to a controlled endpoint. These requests include the JSON body of the corresponding event, which is the same JSON that you would normally receive via the API. This enhancement provides real-time updates on campaign activities. This provides you real-time updates to your ongoing campaigns.


  • Introduced the ability to configure IMAP details in Gophish, which allows fetching campaign emails and marking them as reported.


With these new features, you can now use a more secure and effective GoPhish. As additional releases come in the future, GoPhish will remain a valuable tool for organizations looking to strengthen their phishing training programs.