When you enable Campaign Mode, Defend groups similar emails together under a single campaign. This feature helps you protect your organization from large-scale phishing attacks by allowing you to take a unified action to remove threats from your users' inboxes quickly. While many emails may look the same, Defend is intentionally precise to ensure that only truly related emails are grouped together.

Why Defend Is Intentionally Precise

Defend identifies related emails by creating a unique fingerprint of their characteristics and content. This fingerprinting allows Defend to group emails into a single campaign, even if they have small or large differences, as long as the content is fundamentally similar.

We use this precise logic to give you confidence in our grouping and to ensure we never group unrelated emails that you might want to manage separately. In some cases, emails that look similar on the surface may not be grouped together if their underlying fingerprints are distinct.

We designed Defend to prioritize specificity. This precision reduces the risk of misattribution, or incorrectly grouping unrelated emails into the same campaign. Because Campaign Mode allows you to perform bulk remediation, this design ensures you only remove the specific emails you intend to, rather than a broader set that may only look similar.

What Can You Do with Campaign Mode?

If you find related emails that were not automatically grouped into a campaign, you can adjust the grouping logic to include them. By navigating to the Operations tab, you can toggle specific email characteristics on or off to change how Defend analyzes your mail flow.

Reducing the number of active characteristics allows Defend to find more matches, bringing similar emails into a single view. This flexibility helps you capture a broader set of related threats so you can remediate all of them at the same time.

If you need to investigate emails that you believe are part of the same campaign but appear separately, use Email Mode in the Defend portal. This view displays every email individually and gives you full visibility, regardless of whether the emails are grouped into a campaign.

Microsoft 365 and Campaign Mode

In some cases, Microsoft 365 may split a single email into separate copies for different recipients during delivery. Even when this happens, Defend can still identify the underlying characteristics and group these copies together into a single campaign. This process ensures you have a complete view of the attack, regardless of how the mail server handled the initial delivery.

If you have questions or need help configuring your campaign settings, contact KnowBe4 Support.