In short: phishing is still one of the main ways incidents start, and it targets your employees, not your servers. We built a complete security-awareness tool inside Odoo: practice phishing emails, training, a per-person risk profile, a button to report a suspicious email, and even pulling a real malicious email out of every mailbox at once. Open source, integrated with your tools, hosted on your own turf. In this article: why it matters, how it works, how it stacks up against KnowBe4 or GoPhish, and where to start.
Pour télécharger le module, c'est par ici!
An ordinary Tuesday morning. An email lands: “Your Microsoft 365 invoice is overdue, click here to settle it.” The logo is perfect, the tone urgent, the link almost believable. Out of twenty people, nineteen delete it. The twentieth clicks, types their password, and moves on.
The real question isn't whether it will happen to you. It's what happens in the twenty minutes after. Will someone report it? Can you pull the email out of the other mailboxes before a second person bites? Will the one who clicked know what to do next time?
Phishing is still how they get in
The numbers hold steady year after year. According to the Verizon 2025 Data Breach Investigations Report, 16 % des brèches commencent par un hameçonnage, et près de 60 % impliquent un facteur humain : une erreur, une manipulation, un clic de trop.
We often think SMBs and non-profits are too small to interest anyone. It's the opposite. Attacks are automated, they cast a wide net, and a small organization rarely has a dedicated security team. CEO fraud (a fake email from the “boss” asking for an urgent transfer) or a fake invoice from a known supplier do the most damage exactly where processes are informal.
Put another way: you can stack up firewalls and antivirus, but the final target is still a person in front of a screen, on a Tuesday morning, between two meetings. That's the person to equip. Not to blame: to train.
What does “awareness” actually mean?
Three things, in practice. First, practice: send harmless fake phishing emails now and then, to see who bites and in what context. Then, learn: when someone clicks, they land on a page that calmly walks them through the signals they missed, and they get assigned a short training. Finally, measure: track how it evolves over time, spot the people or teams more at risk, and watch the progress.
The goal is never to trap people to punish them. It's to turn a risky reflex (“I'll click to see”) into a much healthier one (“when in doubt, I report it”).
Why a once-a-year course isn't enough
Everyone knows the mandatory annual training: an hour of videos in January, a quiz, and nobody mentions it again until next year. The problem is that attention fades fast. Three months later, the reflex is gone.
What works is spaced repetition: small, regular, short exercises, in the real context of work. A simulation that lands on a busy Tuesday morning teaches far more than a course watched on fast-forward. And because you measure every time, you watch the curve actually go down, instead of ticking a compliance box.
What we built inside Odoo
Platforms like KnowBe4 or Terranova do this very well. But they're external services, billed per seat, where your security data lives somewhere else. We wanted the same thing, inside Odoo, as open-source software, with the data staying on your own turf.
Vos dossiers d'employés vivent déjà dans Odoo (possiblement), alors pourquoi ne pas centraliser cette information?
Fake emails that teach
You build a fake phishing email from a template, choose who receives it, and the module tracks who opens it, who clicks, who would go as far as entering their credentials on a fake login page. You can even slip in a fake QR code or an attachment, because that's exactly what real attacks do. One detail that matters: that fake page never stores the password typed. Never. It only notes that an attempt happened.
A reflex to train: report it
Every employee has a “Report a suspicious email” button, and can also simply forward the doubtful email to a dedicated address. If they flag one of our training emails, they get a pat on the back: good reflex, no incident created. If it's a genuinely suspicious email, it goes automatically to whoever is responsible for security, with an alert, ready to be triaged.
Training kicks in on its own
When someone fails a simulation, the module can automatically enrol them in a short training on the exact topic where they slipped. No need to chase people: the follow-up happens, reminders go out, and completion brings their profile back up.
Measuring without a wall of shame
Each person has a risk profile that evolves over time, and drops back down as they complete their training. The score factors in how hard the lure was and fades over time, to reflect the real state of things, not an old mistake. You see at a glance where things are shaky, without turning security into a contest for the worst score.
The part that changes everything: pulling the email out of every mailbox
Here's the scenario that really makes the difference. A real malicious email gets past the filters and lands in twenty mailboxes. One person reports it. What do you do about the other nineteen copies, some of them not even opened yet?
Our module does what KnowBe4 popularized under the name PhishRIP : once the threat is confirmed, we search for that exact email across every mailbox in the organization and move it to quarantine, in a single move. It's reversible: if we got it wrong, we restore it intact. You remove the danger before a second person bites.
And because that kind of power shouldn't be handed out lightly, it's fenced in: only an explicitly authorized person can execute the removal, a preview shows first what will be touched, a cap avoids nasty surprises, and every action is logged. Quarantine is the default mode, never brutal deletion.
The four reflexes when an employee reports a suspicious email:
- Confirm: is it a real threat, or one of your own simulations?
- Contain: pull the email out of the other mailboxes, in reversible quarantine.
- Warn: let the person who clicked know, calmly, without pointing fingers.
- Learn: assign a short training and keep a record of the incident.
Where things stand
We didn't invent anything: phishing awareness is a mature market. Here, plainly, is where our module sits next to the commercial references and the best-known open-source tool.
| Capability | KnowBe4 / Terranova | GoPhish (open source) | Our module (Odoo) |
|---|---|---|---|
| Phishing simulations | Oui ✅ | Oui ✅ | Oui ✅ |
| Built-in training | Yes (large library) | No | Yes (via Odoo eLearning) |
| Per-person risk profile | Oui ✅ | No | Oui ✅ |
| “Report” button and triage | Oui ✅ | Partial (tracks the “report” click) | Oui ✅ |
| Pull an email from every mailbox | Oui ✅ | No | Oui ✅ |
| Integrated with your business tools | No (external platform) | No (standalone tool) | Yes (inside Odoo) |
| Open source | No | Oui ✅ | Oui ✅ |
| Hosted on your turf, data on your turf | No (cloud service) | Oui ✅ | Oui ✅ |
To be fair: KnowBe4 and Terranova offer a far larger, ready-to-use training content library than ours, and that's a real advantage if you want hundreds of off-the-shelf modules. GoPhish, for its part, stays excellent for pure simulation. Our bet is integration and sovereignty: everything in one place, inside Odoo, open source, with email removal on top.
And where does Law 25 fit in?
It's easy to forget: awareness data (who clicked, who's more at risk) is delicate personal information about your employees. Handing it to a foreign platform is one more data transfer to justify. Keeping it inside your Odoo, hosted in Quebec, makes that conversation simpler.
The other way around, training that's completed and documented is concrete evidence of the “reasonable security measures” Law 25 expects of you. Training your employees isn't just prudent: it's part of your obligations.
The limits worth knowing
No tool works miracles, and this one is no exception. A few honest points.
It's neither an antivirus nor an email filter. Awareness is a layer on top of your technical defences, not a replacement for them. You still need a good antimalware (we compared a few in our breakdown of antimalware solutions) and proper filtering at the door.
Pulling the email from every mailbox requires administrator access to your email system. With Microsoft 365, it's direct. With other providers, it takes a bit of setup, one mailbox at a time.
The training library is more modest than the giants': we lean on Odoo's eLearning module and build the content that's actually useful, not a catalogue of a thousand courses. And above all: no training replaces a good old two-person rule for wire transfers and changes to banking details. Tech helps, process protects. Reporting by simply forwarding, for its part, assumes your domain is well protected against impersonation.
Par oĂą commencer?
You don't need a big project. The recipe that works has four steps. First, a baseline simulation, with no warning, to get an honest starting point. Then, announce it: tell the team that exercises are coming, that the goal is to improve together, not to trap anyone. Next, set the rhythm: a small simulation every few weeks, with training to follow if someone clicks. Finally, watch the curve and adjust the difficulty.
Tone is everything. A team that's afraid of getting caught hides its mistakes. A team that feels supported reports, and that's exactly the reflex we're after.
Pour télécharger le module, c'est par ici!
At Blue Fox
We built this tool for our own needs first: we run it on our own mailboxes before offering it to anyone. It's open source (LGPL-3 licence), it lives inside your Odoo, and your security data stays on your own turf, not on a foreign platform billed per seat. We deploy it, configure it to your context, and hand you the keys.
A phishing incident is expensive, and your insurance doesn't cover everything. We laid out what a cyberinsurance policy for SMBs actually covers. The best claim is the one you never have to file.
Curious where your team's reflex stands right now? Let's talk about your people's cybersecurity whenever you like.