First things first, if you are reading this, maybe you already have a notion of email security, but just in case, let’s review some basic concepts.
None in this blog post are for evil or unintended use. Always that you carry a phishing test on an organization it need to be consented and with a contract.
This post will not detail any configuration to use, just tips and comments on what I have used in the past and it has worked or interesting things that could work.
Note that this post does not cover the use of malware and only documents the part of links, because as we already know there are many variants of phishing and it is always better to specify.
I would like to clarify that whenever an email is sent the sender’s email address is always specified twice, once in the «envelope» MAILFROM and once in the «header» FROM.
SPF (Sender Policy Framework) is a DNS record containing information
about servers allowed to send emails from a specific domain (for
With it, you can verify that messages coming from your domain are sent by mail servers and IP addresses authorized by you. This might be your email servers or servers of another company you use for your email sending.
If SPF isn’t set, others can take advantage of it and send fake messages that look like they come from you.
It’s important to remember that there can be only one SPF record for one domain. Within one SPF record, however, there can be several servers and IP addresses mentioned (for instance, if emails are sent from several mailing platforms).
DKIM (DomainKeys Identified Mail) is another technical standard that
helps identify fake email addresses, fight against spam, and prevent
spoofing and identity theft.
DKIM adds a digital signature to the header of your email message,
which email servers then check to ensure that the email content hasn’t
changed. Like SPF, a DKIM record exists in the DNS and is similar to the
concept of having a public and private keys. While you sign your email
with the private key, the public one is on the DNS records to verify
that everything is correct when it reaches its destination.
DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how the recipient’s mail server should process incoming emails if they don’t pass the authentication check (either SPF, DKIM, or both).
Basically, if there’s a DKIM signature, and the sending server is found in the SPF records, the email is sent to the recipient’s inbox.
If the message fails authentication, it’s processed according to the selected DMARC policy: none, reject, or quarantine.
The “reject” option is the most effective, but it’s better to choose it only if you are sure that everything is configured correctly.
There are 11 tags, but only «p» (policy) and «v» (version) are mandatory. On the other hand, set up the value «rua» is recommended, as it is the tag that specifies the email to send reports to.
If you would like to know more about SPF, DKIM, DMARC and how to configure them, this post is pretty great: Short primer on SPF, DKIM, and DMARC
We will need an SMTP server or a bridge to send our emails, it can be local or in a cloud environment.
Also a platform to control the sending, receiving and opening of emails.
If the platform we intend to use is local, we could use services to expose our final website to the Internet.
In addition, we will need a domain name and the respective DNS configuration.
Furthermore and final, we will need a program to show our web to the final user.
And of course a lot of curiosity and motivation!
The first thing to do if we have an objective is to get as much information as possible. Search for leak passwords, impersonate a customer interested in a company’s product to see how they communicate, their email signatures, etc.
All the information gathered will be helpful to appear truthful in case the victim has doubts.
Reviewing the company’s website is also usually beneficial, as some companies publish the names and photos of their employees along with a hierarchical pyramid or the titles they hold within the company itself, so that we can put together a simple diagram of how it might be organized and make it easier for us to deduce the weakest link that could fall into our phishing scheme.
Another way to get information about an organization can be to create a fake «business» social networking profile, such as Linkedin, and collect information about the employees associated with the company’s page.
There are times when looking for information about the company you find vulnerabilities along the way, for example if you try to search with dorking for internal domains or subdomains that may have been exposed or indexed…
You could start searching info using this: CyberLibrary – OSINT (I am constantly updating it)
For the domain the more similar to the original the better.
Keep in mind that in the research phase, it is possible that we find domains or subdomains related to the company that can redirect us, for example, to a microsoft login.
You can use different techniques or tools to create a domain similar to the one you want to supplant.
We could use homogliphs, permutations of the original domain, use the www1-exampledomain.com as seen here (I don’t know how it works but it works), using fuzzy matches, that is using capital letters to imitate the normal ones, for example: paypaI is equals to paypai but the ‘i’ is in capital, etc.
Also keep in mind that we will need to wait to not make the domain suspicious for beign newly created.
Here are some useful tools to work with:
If you do not want to use tools, you can use some websites:
The SMTP server that I personally recommend is mailcow or postfix because mailcow is already incorporated in docker containers and it is more convenient to deploy it and configure a couple of things and that’s it.
However, in postfix you have to do much more configuration, since you would have to use postfix, dovecot and thunderbird to have the same functionalities as in mailcow.
Plus we need the GUI so that in case someone who has been phished replies or tries to verify the source in some way we can follow the thread of the conversation so that they trust us.
On the other hand, it is also worth mentioning that SMTP servers are usually used in the cloud and using Microsoft services or servers, AWS, hosting where there are many domains and the like, so that in case of being caught, blocking the IP is the last resort since they would be blocking not only the malicious source but also other possible true domains.
The ‘bad guys’ normally tend to breach a website or CMS in order to use it to send the phishing and make it more difficult to trace the real origin. They tend to breach several in a chain to send the campaigns and make it difficult to know who the real source is.
I leave here the mailcow repo: https://github.com/mailcow/mailcow-dockerized
And here is a guide to configure postfix together with dovecot and thunderbird: https://elpuig.xeill.net/Members/vcarceler/articulos/correo-electronico-con-postfix-dovecot-y-thunderbird-en-ubuntu-20.04
Here is another alternative: https://github.com/mailhog/MailHog
In case you do not want to configure an SMTP, you could also use the bridge offered by Protonmail, although it is not free (it costs about 8€), it offers the possibility to send encrypted emails through Protonmail and use the web GUI that they have for receiving emails. So you would have everything ‘almost’ done.
Here is the web site for the configuration: https://proton.me/support/protonmail-bridge-install
The most well-known and recommended platform is, as we know, Gophish, but there are also other good alternatives if we want to try other platforms for monitoring the sending, receiving and obtaining credentials of the victims, such as, for example:
For the landing page there are many variables, such as the type of attack you want to carry out, the theme you are going to use in the phishing, the way of offering the link to the victims, etc.
We also have to take into account if they have configured the second authentication factor in the company, since this means having to bypass this protection.
The best known or most familiar is Evilginx2, but there are more alternatives to deploy a landing page and bypass the 2FA in case they have it.
Here are some options:
Another way would be to create the landing page yourself and program in the backend the processing of the data entered by the victim in the malicious form to pass it to the real one.
By doing this and logging in bypassing the 2FA, you could steal the session cookie and save it to be able to access again without passing the 2FA, we must take into account that normally the security tokens usually have a period of useful life and can expire (although there are cases in which not unfortunately…).
In these cases you could create an exact copy of the website to spoof using HTTrack locally and tunnel the website to expose it to the internet using one of these services:
When it comes to creating an email I always tend to use the simplest and best looking email.
Why complicate formatting an email if there are websites that make it easy?
There are many online websites that let you create an email in the simplest way, then you just have to download the HTML and enter it in the manager that you are going to use to send the campaign.
In my opinion, one of the ones that has always given me the best results has always been Stripo Email, you have a limited number of downloads but you can create a 10 minute email account and use it as many times as you want. On one occasion a client complained because the email was ‘too perfect’, so from experience I recommend it.
In case you don’t know what to write the email about I leave here two resources to give you ideas both in the subject line (something important for the email to be opened) and in the body of the email:
One of the first things that we have to know is if they have SPF configured, in case they do not have it, we will be able to use this check simply using Telnet: https://github.com/Rices/spf-bypass
If it works, we will be able to register in the SMTP that we have chosen, the real domain and to create accounts of mail with which then we will send the email.
I have seen mails arriving to the inbox like this:
But this is not professional and nobody is going to believe that mail….
The main measure is to make sure that the domain we have chosen is not blacklisted or had a bad reputation in the past, otherwise it will be blocked directly.
Obfuscation techniques are also often used, such as the following:
As you may well know phishing is a form of social engineering so the issue of psychology comes into play.
The purpose of a phishing attack is to pull us out of our mindset of questioning the validity and security of communications so if executed correctly it is quite dangerous.
The most common psychological techniques used in phishing are giving the sensation of:
In case you don’t have the time/desire to configure the entire environment involved in sending a phishing campaign, there are also scripts or guides that deploy the entire infrastructure using Terraform or Ansible on AWS, Azure, Google Cloud, Digital Ocean, etc.
There are a lot of guides, but some examples are:
16 de junio de 2022 at 09:46
Hi it’s me, I am also visiting this web site on a regular basis,
this website is truly good and the people are truly sharing pleasant
7 de julio de 2022 at 21:48
I am actually thankful to the owner of this web page who has shared this fantastic post at here.