In some implementations, a phishing test engine may receive a set of email messages that are associated with a set of users and with an indication of legitimacy. The phishing test engine may perform clustering on the set of email messages to identify a subset of similar email messages and a subset of users. The phishing test engine may generate an email template based on the subset of similar email messages and including an indicator of phishing. The phishing test engine may generate, from the email template, a test email message addressed to a user in the subset of users and may transmit the test email message to the user. The phishing test engine may receive an indication of an interaction with the test email message and may update a policy associated with the set of users based on the indication of the one or more interactions.