How to create a good phishing

21 de mayo de 2022 - Phishing

First things first, if you are reading this, maybe you already have a notion of email security, but just in case, let’s review some basic concepts.

None in this blog post are for evil or unintended use. Always that you carry a phishing test on an organization it need to be consented and with a contract.

This post will not detail any configuration to use, just tips and comments on what I have used in the past and it has worked or interesting things that could work.

Note that this post does not cover the use of malware and only documents the part of links, because as we already know there are many variants of phishing and it is always better to specify.


I would like to clarify that whenever an email is sent the sender’s email address is always specified twice, once in the «envelope» MAILFROM and once in the «header» FROM.

SPF helps prevent spoofing by verifying the sender’s IP address

SPF (Sender Policy Framework) is a DNS record containing information about servers allowed to send emails from a specific domain (for example,

With it, you can verify that messages coming from your domain are sent by mail servers and IP addresses authorized by you. This might be your email servers or servers of another company you use for your email sending.

If SPF isn’t set, others can take advantage of it and send fake messages that look like they come from you.

It’s important to remember that there can be only one SPF record for one domain. Within one SPF record, however, there can be several servers and IP addresses mentioned (for instance, if emails are sent from several mailing platforms).

Image by

DKIM shows that the email belongs to a specific organization

DKIM (DomainKeys Identified Mail) is another technical standard that helps identify fake email addresses, fight against spam, and prevent spoofing and identity theft.

DKIM adds a digital signature to the header of your email message, which email servers then check to ensure that the email content hasn’t changed. Like SPF, a DKIM record exists in the DNS and is similar to the concept of having a public and private keys. While you sign your email with the private key, the public one is on the DNS records to verify that everything is correct when it reaches its destination.

Image by

DMARC aligns SPF and DKIM mechanisms

DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how the recipient’s mail server should process incoming emails if they don’t pass the authentication check (either SPF, DKIM, or both).

Basically, if there’s a DKIM signature, and the sending server is found in the SPF records, the email is sent to the recipient’s inbox.

If the message fails authentication, it’s processed according to the selected DMARC policy: none, reject, or quarantine.

  • Under the “none” policy, the receiving server doesn’t take any action if your emails fail authentication. It doesn’t impact your deliverability. But it also doesn’t protect you from others, so I don’t recommend setting it.
  • Messages that come from your domain but don’t pass the DMARC check go to “quarantine.” In such a case, the provider is advised to send your email to the spam folder.
  • Under the “reject” policy, the receiving server rejects all messages that don’t pass email authentication. This means such emails won’t reach an addressee and will result in a bounce.

The “reject” option is the most effective, but it’s better to choose it only if you are sure that everything is configured correctly.

There are 11 tags, but only «p» (policy) and «v» (version) are mandatory. On the other hand, set up the value «rua» is recommended, as it is the tag that specifies the email to send reports to.

Image by

If you would like to know more about SPF, DKIM, DMARC and how to configure them, this post is pretty great: Short primer on SPF, DKIM, and DMARC


We will need an SMTP server or a bridge to send our emails, it can be local or in a cloud environment.

Also a platform to control the sending, receiving and opening of emails.

If the platform we intend to use is local, we could use services to expose our final website to the Internet.

In addition, we will need a domain name and the respective DNS configuration.

Furthermore and final, we will need a program to show our web to the final user.

And of course a lot of curiosity and motivation!


The first thing to do if we have an objective is to get as much information as possible. Search for leak passwords, impersonate a customer interested in a company’s product to see how they communicate, their email signatures, etc.

All the information gathered will be helpful to appear truthful in case the victim has doubts.

Reviewing the company’s website is also usually beneficial, as some companies publish the names and photos of their employees along with a hierarchical pyramid or the titles they hold within the company itself, so that we can put together a simple diagram of how it might be organized and make it easier for us to deduce the weakest link that could fall into our phishing scheme.

Another way to get information about an organization can be to create a fake «business» social networking profile, such as Linkedin, and collect information about the employees associated with the company’s page.

There are times when looking for information about the company you find vulnerabilities along the way, for example if you try to search with dorking for internal domains or subdomains that may have been exposed or indexed…

You could start searching info using this: CyberLibrary – OSINT (I am constantly updating it)


For the domain the more similar to the original the better.
Keep in mind that in the research phase, it is possible that we find domains or subdomains related to the company that can redirect us, for example, to a microsoft login.

You can use different techniques or tools to create a domain similar to the one you want to supplant.

We could use homogliphs, permutations of the original domain, use the as seen here (I don’t know how it works but it works), using fuzzy matches, that is using capital letters to imitate the normal ones, for example: paypaI is equals to paypai but the ‘i’ is in capital, etc.

Also keep in mind that we will need to wait to not make the domain suspicious for beign newly created.

Here are some useful tools to work with:

If you do not want to use tools, you can use some websites:

SMTP server

The SMTP server that I personally recommend is mailcow or postfix because mailcow is already incorporated in docker containers and it is more convenient to deploy it and configure a couple of things and that’s it.

However, in postfix you have to do much more configuration, since you would have to use postfix, dovecot and thunderbird to have the same functionalities as in mailcow.

Plus we need the GUI so that in case someone who has been phished replies or tries to verify the source in some way we can follow the thread of the conversation so that they trust us.

On the other hand, it is also worth mentioning that SMTP servers are usually used in the cloud and using Microsoft services or servers, AWS, hosting where there are many domains and the like, so that in case of being caught, blocking the IP is the last resort since they would be blocking not only the malicious source but also other possible true domains.

The ‘bad guys’ normally tend to breach a website or CMS in order to use it to send the phishing and make it more difficult to trace the real origin. They tend to breach several in a chain to send the campaigns and make it difficult to know who the real source is.

I leave here the mailcow repo:

And here is a guide to configure postfix together with dovecot and thunderbird:

Here is another alternative:

In case you do not want to configure an SMTP, you could also use the bridge offered by Protonmail, although it is not free (it costs about 8€), it offers the possibility to send encrypted emails through Protonmail and use the web GUI that they have for receiving emails. So you would have everything ‘almost’ done.

Here is the web site for the configuration:

PLATFORM for monitoring

The most well-known and recommended platform is, as we know, Gophish, but there are also other good alternatives if we want to try other platforms for monitoring the sending, receiving and obtaining credentials of the victims, such as, for example:


For the landing page there are many variables, such as the type of attack you want to carry out, the theme you are going to use in the phishing, the way of offering the link to the victims, etc.

We also have to take into account if they have configured the second authentication factor in the company, since this means having to bypass this protection.

The best known or most familiar is Evilginx2, but there are more alternatives to deploy a landing page and bypass the 2FA in case they have it.

Here are some options:

Another way would be to create the landing page yourself and program in the backend the processing of the data entered by the victim in the malicious form to pass it to the real one.

By doing this and logging in bypassing the 2FA, you could steal the session cookie and save it to be able to access again without passing the 2FA, we must take into account that normally the security tokens usually have a period of useful life and can expire (although there are cases in which not unfortunately…).

In these cases you could create an exact copy of the website to spoof using HTTrack locally and tunnel the website to expose it to the internet using one of these services:

And many more…

Creating the email

When it comes to creating an email I always tend to use the simplest and best looking email.

Why complicate formatting an email if there are websites that make it easy?

There are many online websites that let you create an email in the simplest way, then you just have to download the HTML and enter it in the manager that you are going to use to send the campaign.

In my opinion, one of the ones that has always given me the best results has always been Stripo Email, you have a limited number of downloads but you can create a 10 minute email account and use it as many times as you want. On one occasion a client complained because the email was ‘too perfect’, so from experience I recommend it.

In case you don’t know what to write the email about I leave here two resources to give you ideas both in the subject line (something important for the email to be opened) and in the body of the email:

bypassing filters

One of the first things that we have to know is if they have SPF configured, in case they do not have it, we will be able to use this check simply using Telnet:

If it works, we will be able to register in the SMTP that we have chosen, the real domain and to create accounts of mail with which then we will send the email.

I have seen mails arriving to the inbox like this:


But this is not professional and nobody is going to believe that mail….

The main measure is to make sure that the domain we have chosen is not blacklisted or had a bad reputation in the past, otherwise it will be blocked directly.

Obfuscation techniques are also often used, such as the following:

And many others…

psychology applied to phishing

As you may well know phishing is a form of social engineering so the issue of psychology comes into play.

The purpose of a phishing attack is to pull us out of our mindset of questioning the validity and security of communications so if executed correctly it is quite dangerous.

The most common psychological techniques used in phishing are giving the sensation of:

  • Urgency: a phishing email usually wants something done right now, as the longer you have to think, the more you may question if it is benign
  • Confidentiality: the action required is specific to you and needs to be done by you alone, as getting someone else involved increases the chances of the phishing being spotted
  • Authority: People defer to authority. That is why many phishing emails seek to impersonate senior executives, human resources, information technology department or even finance. An email from the CEO (supposedly) asking the finance department to immediately send 300,000€ to an account unknown to the department is an example scenario that has occurred many times in the past, this is also known as ‘the CEO fraud’.
  • Consistency: You must have heard the expression “creature of habit”. In some way, all of us are creatures of habit in that we like to go about our lives in set ways. Phishing emails that look like official communications exploit this fact, hoping the recipient overlooks the unusual request that is included in such an email. An email with the Amazon logo saying a shipment is held up and asking the recipient to confirm their home address may not raise red flags even if no shipment is expected; that’s the power of a recognized brand.
  • Consensus: We have all seen the power of the crowd,
    from frenzied fans at a rock concert or the mad mobs in riots. People
    have a tendency to follow other people. A phishing email that mentions
    something like “544 of 800 employees have updated their software, click
    this link to download” seeks to exploit this fact.
  • Liking: This is an extremely obvious principle of influence, and something
    that we use daily. If people like you, they will say “yes”. Conversely,
    if people want to be liked, they will also say “yes”. This is exploited
    by phishers when they target eager-to-please new employees. An email
    from HR (supposedly) asking a new employee for their SSN to update in
    payroll is one such common ruse.


In case you don’t have the time/desire to configure the entire environment involved in sending a phishing campaign, there are also scripts or guides that deploy the entire infrastructure using Terraform or Ansible on AWS, Azure, Google Cloud, Digital Ocean, etc.

There are a lot of guides, but some examples are:

Tagged as:

Play Cover Track Title
Track Authors