Email templates

Email templates define the content and structure of phishing emails. Templates support HTML, plain text, attachments, and calendar invitations.

Overview

Each template includes:

• Template name (required)

• Subject (required)

• Body (optional)

• Calendar invitation settings (optional)

• File attachments (optional)

---

Template name

Internal identifier for the template.

---

Subject

Subject line of the email. It is required and also supports variables.

---

Body

Content of the email. It supports Plain text only, HTML only, or both. It is optional and supports variables in both bodies.

Plain Text Body

Regular text.

HTML Body

Rich-text email content with full HTML and CSS support.

When typing {{, a dropdown appears with variable suggestions, showing all currently available variables.

A Preview tab is included, offering both HTML rendering and partial template preview. Existing variable values are automatically filled or generated, and example values are inserted for variables without data. This helps verify that all variables are correctly selected and formatted.

For security, the renderer applies strict Content Security Policies (CSP) to prevent script execution —something not supported in most email clients anyway. CSP also prevents referrer leakage when clicking links. All HTML is sanitized using DOMPurify, removing potentially harmful content.

---

Calendar options

Send realistic calendar meeting invitations as part of phishing campaigns.

Certain calendar functionalities are specific to email providers (e.g., Gmail or Outlook). Behavior may vary across different email clients and can change over time due to provider updates. Testing all calendar features across target clients before sending is strongly recommend.

Calendar invitations

Convert an email into a meeting invitation. By default, Tangled generates a unique calendar invitation UID for each event based on configuration settings, and sets the sequence to 0 in the VCALENDAR block.

Meeting summary Defines the event title. Supports variables.

Timezone & time Specify the meeting’s IANA timezone and the start/end times in YYYYMMDDTHHMMSS format.

Organizer Set the organizer’s display name and email address.

Attendee list Add additional attendees beyond the primary recipient.

Other settings:

• Location: physical or virtual location text.

• Priority: high, normal, or low. May influence email UI: for example, Outlook displays a red exclamation mark for urgent meetings.

• Categories: set one or more category labels.

Meeting options:

• Allow responses: enables RSVP handling. Disabled by default. Outlook-specific.

• Disable forwarding: prevents attendees from forwarding the meeting Outlook-specific.

• Private meeting: marks the event as private, typically hiding details from others with calendar access. Outlook-specific.

• Include all campaign targets as attendees: adds every campaign recipient to the attendee list. Useful for crafting realistic multi-attendee invites.

• Meeting link: insert a conferencing link. Currently supports Outlook and Gmail.

• Calendar attachments: files included in the calendar invitation (not in the email body).

Calendar reschedules

Update an existing calendar invitation.

• Meeting UID: required. Must match the UID of the original invitation. If the original was sent via Tangled, the UID will appear in the campaign details.

• Meeting Sequence: must be incremented with each update. Needs to be higher than the last sequence received for that event.

All other settings behave the same as for invitations.

Calendar cancellations

Send meeting cancellation notices.

• Meeting UID: required and must match the original invitation’s UID (visible in campaign details if the original was sent through Tangled).

• Meeting Sequence: must be incremented with each update, higher than any previously received value.

All other settings behave the same as for invitations, except:

• Meeting links are not included (unnecessary for cancellations).

• Calendar attachments are automatically removed from the template.

---

File attachments

Files that will be sent attached to the email.

Click "Choose files" button, select file(s) to attach or remove existing ones and save the template.

The files will be stored in database for that template. If an attachment with same name than one existing is selected, it will be replaced (case insensitive).

Current attachment size is set to 200MB. To allow larger files, change the client_max_body_size value in Nginx's default.conf file.

---

Importing an email

Tangled supports the ability to import an email from a given .eml or xx file. To do this, click the "Import" button and select the email file with the desired content to copy.

The file will be processed, trying to fill the template with all the different fields, including calendar settings.

---

Templating

Tangled uses Jinja2 templating with security restrictions for variable substitution and basic logic.

Built-in variables

The following variables are available by default. Note that some values might be empty if the target information hasn't been fully filled. Additionally, all supplementary variables defined in settings will be available by name.

Template variables are case sensitive

Always provide defaults for optional values! For example: Dear {{ firstName|default("User", true) }}...

Variable	Description
{{firstName}}	Target's first name
{{lastName}}	Target's lastname
{{email}}	Target's email address
{{extraField}}	Additional custom field (e.g., country, job title, employee ID...)
{{randomID}}	Random 8-character string (unique per recipient)
{{_now}}	Current UTC datetime

Security Model

Templates are rendered in a sandboxed environment:

• Function calls are disabled

• Attribute access is restricted

• Filters are allowed in a limited set

This prevents template injection attacks while maintaining functionality.

Available filters

Tangled supports these Jinja2 filters:

upper / lower

Convert text case:

{{ firstName|upper }}  -> JOHN
{{ lastName|lower }}   -> smith

title

Title case conversion:

{{ firstName|title }}      -> John
{{ "hello world"|title }}  -> Hello World
{{ "heLLoWOrLd"|title }}   -> Hello World

default(value, boolean)

Provide fallback value:

{{ firstName|default("User", true) }}

Shows "User" if firstName is empty. The true parameter treats empty strings as missing.

replace(old, new)

Replace text:

{{ email|replace("@", " at ") }}

trim

Remove whitespace:

{{ textVariable|trim }}

length

Get string length:

{{ email|length }}

escape

HTML-escape content (automatic in HTML templates):

{{ urlVariable|escape }}

urlencode

URL-encode strings:

<a href="https://tangled.local?email={{ email|urlencode }}">Link</a>

datefmt(format)

Format datetime values:

{{ _now|datefmt("%Y-%m-%d") }}           -> 2025-15-11
{{ _now|datefmt("%B %d, %Y at %H:%M") }} -> November 15, 2025 at 14:30

The special _now variable contains the current UTC timestamp.

tz(timezone)

Convert datetime to timezone:

{{ _now|tz("America/New_York")|datefmt("%H:%M %Z") }}

Examples

Personalized Greeting

If firstName exists: "Hello John," If empty: "Hello User,"

Hello {{ firstName|default("User", true) }},

Conditional Content

While if-statements are not supported, use defaults can be used creatively:

Dear {{ firstName|default(lastName, true)|default("Valued Customer", true) }},

Tries firstName, then lastName, then fallback.

Date Formatting

Output: "This email was sent on Saturday, November 15, 2025."

This email was sent on {{ _now|datefmt("%A, %B %d, %Y") }}.

Tracking Links

<a href="https://track.tangled.local/click?id={{ email|urlencode }}">
  Click Here
</a>