Phishing Checklist

Phishing is very much alive and well. For those entering the industry, the topic might seem overwhelming. How do I get an email connected to a domain? What the heck is SPF? How do I log the credentials? All of those questions are valid questions. This post aims to highlight a broad overview of what you need going into a phishing campaign and proceeding posts will cover the more individual topics.

To conduct a phishing campaign you essentially need the following items:

• A target audience

• A likely scenario

• A valid domain

• A convincing email

• A phishing tool

That checklist will help give you a framework to work with during your first phishing adventure. For those who are quick skimmers, read the bullet points and go do your thing! For those who want a little more explanation, here's a quick rundown of each item.

A Target Audience

This is where you ask the questions like, "Who am I targeting and why?" If you are wanting confidential employee information then perhaps HR is your target. If you are wanting to breach a system then figure out who works in the IT department. Knowing who you are targeting will help you figure out which domain to buy and what scenario to use.

A Likely Scenario

What is going to make end user click? That is the million dollar question. Offering a $500,000 Amazon gift card for completing a company survey will probably raise some red flags. However, offering an employees a company branded sweatshirt during the holiday season could land you many credentials. Knowing your target audience will greatly help in thinking of scenario.

A Valid Domain

Domains are a double edge sword thanks to our dear friend Microsoft Defender (Spoiler alert - it involves domain impersonation but don't worry about that now). Your domain needs to be convincing, but can't mimic too closely the target you are attacking due to many companies have domain impersonation rules in place. This is the domain that will be connected to the email address you use to send emails with. Wait - how do I connect the domain to the email? Don't worry, we will cover that in another post. For now, just know you need a domain. A major thing to remember about domains is NEVER impersonate federal or local government agencies. You are looking at jail time if you do.

A Convincing Email

Anyone who has taken mandatory corporate training on phishing knows the warning signs of a phishing email (these will be addressed in a separate post under Protect). As an attacker, you need to avoid these at all cost. Your email should be so pristine that angels would shed a tear when reading it. However, there are times when a customer will ask you to make a campaign that is "easy" for their end users. In which case, throw them some bones and misspell a few words.

A Phishing Tool

When conducting a phishing attack you need something to capture credentials. After all, that is the whole objective of most phishing campaigns. The specifics of your campaign can help determine which tooling you use. If you are needing metrics on who clicked and creds entered? Maybe GoPhish is your answer. If you are testing MFA bypass you might want to give Evilginx a look. If you are feeling really adventurous, you can DIY your own HTML and key logging. The options are endless and we will use future posts to explore these options.

Welp, there it is. A simple checklist and breakdown of the things you need to go phishing. Go forth and keep learning!

DISCLAIMER: You know we have to say it, but all resources on PhishAreFriends.com are for educational purposes only. The information gained from this site should not be used for any illegal purpose.