phenomlab I have used this. It is pretty good. There are a few limitations.
When we deployed it, we put it on a virtual MS server. Was fairly easy to do.
The main issue was when we made our “phishing” emails that the system (Exchange on Prem) was too good and flagging it up to users, so that was the first hurdle. There is a way of trusting the bogus domain so it doesn’t flash up to the user via a GPO - I can look for this tomorrow and update on that.
Once we got that working, it was fine. There was just one thing we picked up on.
We got stats on when the mail was delivered, opened, and ultimately when it was clicked on. We also got the IP address of the device where it was clicked.
We had the case where we sent one mail to a group of people, and one was a manager, He opened it on say Monday, he then forwarded to his team “Hi guys, I have received this - don’t click on it”.
2 days later one of his team clicked it. This click registered against him, as it was his email. I could work out it wasn’t him, by the IP, and I guessed it was a false positive. I rang him up and after making suggestions of who it might be he confirmed “yes, it was them most likely”. Obviously knows his staff. We got a user awareness session with the team out of it at least. So if you do a phishing exercise, be mindful that unless they open it, and click the target link within a reasonable time, it might not necessarily be them.
Not tested with O365, we are looking at other options. But if you are on a budget, GoPhish is pretty good