security-labs

🎣 Project 01 β€” Phishing Attack Simulation

Simulated phishing campaigns to assess organisational vulnerability and improve security awareness.

🎯 Objective

Built controlled phishing awareness campaigns using GoPhish to simulate real-world credential harvesting and social engineering attacks β€” in a lab environment β€” to measure how susceptible teams are to phishing and improve their response.

πŸ”§ Lab Setup

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Attacker VM   │────▢│  GoPhish Server  │────▢│   Target Email  β”‚
β”‚  (VirtualBox)   β”‚     β”‚   (SMTP Setup)   β”‚     β”‚   (Lab Accts)   β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                              β”‚
                              β–Ό
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚ Landing Page    β”‚
                    β”‚ (Fake Login)    β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                              β”‚
                              β–Ό
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚ Creds Captured  β”‚
                    β”‚ (GoPhish Panel) β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ§ͺ Methodology

  1. Reconnaissance
    • Collected publicly available email patterns from LinkedIn (lab accounts only)
    • Identified email service providers and mail security configurations
  2. Campaign Design
    • Created convincing email templates mimicking common services (Google, Microsoft)
    • Built pixel-perfect login phishing pages using HTML/CSS
    • Configured GoPhish with proper SMTP routing
  3. Execution
    • Sent phishing emails to controlled lab accounts
    • Tracked: open rates, link clicks, credential submissions, session duration
  4. Metrics Captured
    • Open rate %
    • Link click rate %
    • Credential submission rate %
    • Time spent on phishing page
  5. Findings
    • Identified which email subject lines had highest open rates
    • Measured average time before users reported suspicious activity
    • Documented which departments were most vulnerable

πŸ“Š Results

Metric Value
Emails Sent 50 (lab accounts)
Open Rate ~65%
Link Click Rate ~40%
Credential Submission ~25%
Reported to IT <10%

πŸ›‘οΈ Defensive Recommendations (Documented)

πŸ”§ Tech Stack

GoPhish Β· VirtualBox Β· HTML/CSS Β· SMTP Β· Social Engineering

πŸ“ Folder Structure

phishing-simulation/
β”œβ”€β”€ README.md
β”œβ”€β”€ methodology.md
└── (lab-notes.txt β€” private, not uploaded)

⚠️ Disclaimer

This project was conducted entirely within a controlled lab environment. All target accounts were owned by me or set up with explicit written consent. No attacks were launched against any system without permission.