LUCY 4.8.1

Lucy 4.8.1 is available for automated update! Please make sure you have no active campaigns running before updating!

New Features

  • Synchronization of user accounts from Azure AD to Lucy’s recipients and users


  • lucyQuizResults() function returns “Trained At” value
  • Track Responses function is able to track emails sent to multiple addresses
  • Ability to use multiple email addresses in O365 plugin
  • SMTP delivery support for Gmail plugin

Bugs fixed

  • Import recipients from CSV with non-UTF encoding
  • Empty list of available trainings on the End User portal
  • Website preview for multi-language training
  • Scheduler for awareness only campaign
  • End User Portal statistics inconsistency
  • Empty recipient columns in export

Lucy 4.8

Lucy 4.8 is available for automated update! Please make sure you have no active campaigns running before updating!

New Features

  • Multiple awareness for awareness only campaigns. It is possible to assign different awareness scenarios for different recipient groups in awareness only campaigns. Risk level differentiation is also supported
  • Ability of separate scheduling different awareness scenarios. It is possible now to separately schedule training scenarios in awareness only campaigns
  • New Branch attribute for campaigns, users and templates. A new Branch attribute for Clients is introduced. Campaigns, recipient groups and templates can now be restricted for administrative users within the same Client based on the Branch attribute of the user
  • New API endpoint for removing a recipient group from campaigns
  • New Mail Manager. Mail Manager was completely re-designed to increase its performance, stability and usability especially for the campaigns with a huge number of recipients
  • End User statistics export. It is possible to export end-user list filtered by Campaign or Recipient Group with general statistics. Export data can also be grouped by Recipient Group or Campaign
  • Overall Recipient Statistics. It is possible to view general Recipient statistics under Campaign Statistics menu. Data can be viewed and exported using filter by Campaign, Recipient Group or time period


  • LDAP Sync Tool: ability to work without administration rights
  • LDAP Sync Tool: ability to connect to Lucy via proxy
  • SMTP connection test console output
  • Ability to use %gender% variable when no gender attribute defined for a recipient

Bugs fixed

  • Inaccurate statistics in report variables %charts.awareness%, %victim.table.trainingstats% and %awareness.completed%
  • Incorrect awareness website language with Direct Login for recipients with different languages
  • Comma in Fake Recipient Name
  • Anonymization for Divisions with less than 10 recipients
  • Anonymization in Compare function
  • Detection of the OS and Browser versions in awareness only campaign
  • Logs rotation for Docker installation
  • Chronology of events in Timeline
  • Geolocation in Master/Slave environment
  • Quiz score attribute in API
  • Authorization via LDAP with SSL
  • Custom name for PDF file-based scenarios
  • Metadata in SCORM export
  • Training overview chart stats
  • Visits accounting
  • Campaign visibility for administrative users
  • License options
  • Inaccurate average scenario time in campaign exports
  • “Only successfully phished” option of the scheduler
  • Incorrect statistics if Success Action is set to Clicked
  • Ability to stop campaign on Slave in Reflective Master&Slave configuration
  • Export to SCORM wrong metadata
  • Training overview chart incorrect stats
  • Bugs in visits accounting
  • Bugs in campaign visibility for administrative users
  • Minor bugs in license options

Lucy 4.7.8

Lucy 4.7.8 is available for automated update! Please make sure you have no active campaigns running before updating!

New Features

  • SMTP OAuth2 authentication mechanism. OAuth2 protocol for SMTP servers makes Office 365 (Exchange Online) more secure. Gmail support is coming out next year. Other providers will be added depending on the need and applicability
  • O365 mobile support. Phishing button for Office 365 can now be used in Outlook mobile app in the same way as on desktop computers. Reinstallation of the plugin is required
  • Single Sign-on: Azure AD OAuth2 authorization. Azure AD OAuth2 authorization. It is possible to configure SSO for Lucy users using Azure AD OAuth2 authorization
  • End Users: send password reset link instead of plain text password. It is possible to send a password reset link in awareness email instead of attachment to access the End User Portal
  • External ID for recipients in API. This feature is important for those users who would like to develop custom mechanism of synchronization of recipients using Lucy’s REST API


  • German translation of the UI
  • Whitelabel: all Lucy references can be replaced

Bugs fixed

  • Track Responses: case sensitive
  • Incorrect schedule plan
  • SSL certificates: Certbot won’t update

Lucy 4.7.7

Lucy 4.7.7 is available for automated update! Please make sure you have no active campaigns running before updating!

New features

  • Mapping of multiple awareness scenarios. It is possible to bind several awareness scenarios to each attack simulation scenario in the campaign. So it will be possible to send different attack simulations and bound awareness scenarios to different recipient groups within a campaign. The risk level of the recipients will be taken into account for the awareness emails
  • LDAP Synchronization Tool multiple groups. It is possible to synchronize several LDAP groups using the tool
  • Export by Recipient group. Campaign – Exports – Recipients – All by Recipient Group. A new item for export all campaign data including Recipient group.
  • Excel macros that allow determining if it has been executed. Lucy has a new Success action attribute named “File Open”. This is triggered by a GET request that can be sent from a macro
  • Outlook plugin line breakers. Outlook Plugin allows multi-line text in the user configured messages


  • Old protocols of web-server except TLSv1.1, TLSv1.2 and newer are disabled
  • Old temporary files from temporary folder are cleared once a day
  • Performance test results became more accurate
  • Awareness Tracking Functions are expanded with several new functions to make awareness templates more flexible. The compatibility with the existing templates is kept
  • New attribute “Client” for Lucy administrative users
  • Password policy – minimum password length is increased to 16
  • File names validation before uploading improvement for better security
  • XSS and RCE handling improvements

Bugs fixed

  • File renaming after upload using File Browser
  • LDAP sync tool: missing ldap_based attribute for LDAP users
  • Incorrect stats in the Awareness only End-user Portal
  • Unsolicited emails to the recipients
  • apt-get update && apt-get upgrade issue in OS update procedure
  • Quiz results disappearing after campaign restore
  • %success% variable rounding out
  • Notification on failed backups
  • Mail Manager: diacritic chars in the campaign name
  • No Recipients Menu for Administrative Users

Lucy 4.7.5

Lucy 4.7.5 is available for automated update! Please make sure you have no active campaigns running before updating!

New features

  • New setting to configure the “From” field of the system notification emails (Settings -> Advanced Settings, System Notification Emails field)
  • Multi-language support of the UI and messages in Outlook MSI Plugin. It is possible to configure translations for the following system locales: Dutch, English, German, Italian, Portuguese, Russian, Spanish, Turkish and Ukrainian
  • New design of the End User Portal
  • Possibility for the administrators to configure the widgets on the End User Portal (Settings -> End Users -> Enduser Portal Settings)
  • New column “Certificate received” in the All Recipients export file
  • New export filter “Received Training Certificate” for the recipients who received their certificates


  • On the “Recipients” step of the Campaign Wizard the contents of the selected recipient group are displayed
  • Campaign Statistics sub-menus are highlighted
  • Main menu re-organized: Recipients menu moved as a sub-menu of Settings, Sessions menu moved as a sub-menu of Tools, Status menu moved as a sub-menu of Support
  • Campaign Base Settings page re-organized
  • New page for Attack Settings introduced for faster access to the list of attack scenarios
  • Scenario Setting page re-organized, Scenario summary page became a part of Campaign Statistics Summary page (Scenario Selection button)

Bugs fixed

  • Subject encoding bug after changing the template language
  • Unchecking of a single recipient group unchecked all recipient lists
  • Empty MAIL FROM command in case of external SMTP server
  • Wrong contents of the %Subject% variable for emails
  • Incorrect behavior of the Repeating rule of the Scheduler
  • Error 500 for campaign templates with anonymous mode
  • Missing files in the saved campaign templates
  • Automatic detection of the “Quiz” option in Campaign Wizard
  • Incorrect removing of the “Deny For” rule in Campaign Filters
  • Several awareness emails in campaigns with several attack scenarios

Lucy 4.7

Lucy 4.7 is available for automated update! Please make sure you have no active campaigns running before updating!

New Features

  • Campaigns for infrastructure tests in Campaign Wizard
  • Scheduled campaign exports
  • Filter for incoming campaign clicks on IP range or User-Agent
  • Improvements in the internal architecture for better security and stability

Bugs fixed

  • Incorrect awareness time tracking
  • Awareness sub-domain unavailability
  • Minor errors in the Campaign Wizard
  • SSO issues
  • LDAP synchronization issues
  • Export of campaign stats failures
  • Gmail plugin installation (see Wiki)
  • Deleting unused file templates
  • Instability in statistics collecting for large campaigns
  • Instability in OOO and Bounced emails collecting
  • Database encryption issues
  • Custom admin port for SAML
  • Certificate deletion
  • File-based attack issues
  • Abuse function failure
  • Only successfully phished option
  • Copy campaign issues
  • Login form autocomplete
  • Minor bugs

Lucy 4.6

Lucy 4.6 is available for automated update! Please make sure you have no active campaigns running before updating!

New features:

  • SSO/SAML 2.0 support for ADFS added
  • Advanced Automatic backup functionality now allows to select what to backup among options: All, Database, Files, Configuration or System sources. Backup schedule can be specified
  • HSM Database Encryption added


  • “Anonymous mode” option moved to Campaign Base Settings since it always affects the whole campaign
  • Updating statistics process is now takes quite a shorter time due to significant optimization
  • Added a feature to select recipient groups to be automatically updated via “Autoupdate LDAP recipients” option
  • Many new variables are available for Campaign Phishing Reports
  • Several additional charts are now available for Campaign Phishing Reports
  • Campaign report template improved to display all possible data
  • Ability to choose between MSL and EML types for downloading files on the Incidents page added
  • Master/slave improved: SMTP traffic can now be forwarded from Slave to Master; incidents and statistics are transferred from Slave to Master
  • Lucy can now fetch information on sender and recipients from reported phishing emails and display it, the information is also available from Lucy API
  • Campaign scheduler is improved to take into account current time zone settings for weekend days
  • Many minor improvements in MSI Outlook and Office365 plugins
  • Available disk space is checked before installing updates and templates
  • Out of office and bounced e-mails detection by subject added
  • Enduser/Reputation Level statistics improved
  • Many other minor improvements in core functionality

Bugs fixed:

  • Whitelabel can now correctly handle transparent background in images
  • Incidents message headers are now correctly parsed by Lucy and may be returned via API in JSON format
  • PayPal payments are correctly processed and the balance is updated accordingly
  • Recipients with umlauts in their email addresses can be correctly imported now
  • Comma in sender name is correctly handled now
  • German localization is improved
  • Clear db backups folder function now clears the whole contents of the folder
  • SMISHING campaign – correct handling SMS templates taking into account maximum SMS length
  • Lucy server correctly handles phishing reports with large attachments now
  • Outlook 2013 freezing is fixed now
  • E-learning and re-scheduled statistics display is improved in Phishing Campaign reports
  • Lucy sends correct IP addresses in e-mails with login information for End Users
  • Many other minor bugs fixed


Dear clients, if you are running Lucy versions 4.4 or 4.5 and have installed the system or installed any patches within past 2 weeks, please install the latest patches 4.4.14 or 4.5.6 as soon as possible, they should be available in Lucy upgrade section. If you are already on 4.4.14 or 4.5.6, no actions are needed.

If you have some campaigns running, which prevents you from updating, you can run the update over SSH console using these commands to force the update:

cd /opt/phishing/current/web/protected
./yiic update

This will update Lucy in background mode, without affecting your running campaigns. No reboot is needed after the upgrade.

If you have no access to your Lucy console, please contact our support engineers to help you with that.

Thank you and sorry for the inconvenience!