Phishing & Social Engineering — GoPhish, Evilginx
Phishing simulation, MITM phish-proxies, and the awareness-platform alternatives.
Phishing remains the #1 initial-access technique. Red-team phishing splits into "awareness simulation" (GoPhish style) and "real adversary emulation" (Evilginx-class MITM proxies that defeat MFA). For email infrastructure see Email. For exploitation post-click see Exploitation Frameworks. For defender-side reporting see Bot Protection (login defences) and SIEM.
Phishing simulation / awareness
- ★ GoPhish — open-source phishing campaign manager; web UI; tracks opens / clicks / submissions; templated landing pages; reporting. Free OSS — the reference for awareness simulations.
- King-Phisher (sunset) — older open-source competitor; archive only.
- Lucy Security — paid SaaS; comprehensive awareness platform.
- KnowBe4 — paid; market leader for corporate awareness training.
- Hoxhunt — paid; gamified.
- Cofense PhishMe — paid; large enterprise.
- Proofpoint Security Awareness — paid.
- Curricula / Mimecast / Infosec IQ — paid SaaS competitors.
MFA-defeating MITM proxies (real-adversary territory)
- ★ Evilginx 3 (Kuba Gretzky) — modern reverse-proxy phishing framework; cookie-grab + session-hijack across Microsoft 365 / Google / Okta / others; defeats most TOTP / push MFA. Free OSS — the reference modern adversary tool.
- Modlishka (Piotr Duszynski) — alternative reverse-proxy MITM; Polish researcher; free.
- EvilProxy / Storm-1101 — commercial criminal services (illegal); listed for awareness only.
- Muraena — Italian open-source reverse-proxy phishing; pairs with NecroBrowser for session takeover.
- CredSniper — older; Google-focused.
These tools defeat TOTP and push MFA; WebAuthn / FIDO2 / Passkeys are the practical defence — see Auth.
Site cloners / payload pages
- Zphisher — quick CLI phishing-page generator; many templates; free.
- SocialFish — web UI; templates.
- HiddenEye — multi-template phisher.
- AdvPhishing — phishing kit.
- ShellPhish — phishing kit.
- SET (Social-Engineer Toolkit) by TrustedSec — classic; broad; menu-driven.
Domain / sender infrastructure
- dnstwist — typosquat domain generation.
- CheckMarx URLPunycodeChecker / IDN checks — homoglyph IDN domains.
- DomainHunter / DomainTools / Spamhaus — pick "aged" domains so SpamGuard / Proofpoint don't categorise as new.
- MailSPF / DKIM / DMARC tooling — see Email; proper auth lifts deliverability.
- GoPhish + sendgrid / mailgun / amazonses test domain — typical lab setup.
- Postal / Mail-in-a-Box — self-host SMTP; see Self-Host Email Servers.
Voice / SMS / vishing
- VICIdial / SignalWire / Twilio for testing — vishing infra.
- Asterisk / FreePBX — self-host PBX for caller-ID-spoof scenarios.
- SocialEngineer Toolkit has voice modules.
- fakecaller / Spoofcard — paid.
- Smishing — typically Twilio in test scenarios.
Payload-bearing variants
- MalDoc / Office macros (Office macros mostly blocked from internet docs since 2022 — still useful via OneNote, ISO, LNK, polyglot).
- HTA / SVG smuggling / browser exploit — niche.
- OneNote / ISO / IMG / VHDX / LNK — common 2023–26 vectors.
- MOTW (Mark Of The Web) bypasses — research-track; many CVEs.
- See Malware Analysis for analyzing payloads (and constructing them safely in lab).
Templates / OSINT for pretexting
- See OSINT & Recon — Hunter.io for company email patterns, LinkedIn enumeration, theHarvester.
- Phishing kits leak repos — TheLeakedKitsRepo etc.; for blue-team study.
Defensive (the other side)
- DMARC enforcement (
p=reject) + DKIM + SPF — table stakes. - Microsoft Defender for Office 365 / Proofpoint / Mimecast / Abnormal — paid email security.
- PhishTank / OpenPhish — IOC feeds.
- knockpy / urlscan.io — link analysis.
- WebAuthn / Passkeys for high-value accounts — see Auth.
- Trained users + a "Report Phishing" button — biggest cheap win.
Pick this if…
- Default awareness-simulation platform, free: GoPhish.
- Default real-adversary MITM phishing for engagements: Evilginx 3.
- Quick test page / demo: Zphisher or SET.
- Enterprise awareness program: KnowBe4 or Hoxhunt (paid).
- Defence: DMARC reject + WebAuthn / Passkeys for crown-jewel accounts.