Phishing remains one of the most effective attack vectors in the cybersecurity landscape, with organizations constantly targeted by credential theft, ransomware delivery, and business email compromise (BEC). To combat this, companies must implement realistic, in-house phishing simulations to test employee awareness, measure security posture, and reinforce anti-phishing training.
In this guide, we will outline the technical process of setting up an in-house phishing campaign, from selecting the right tools to crafting realistic attack scenarios and analyzing results for continuous improvement.
Choosing the Right Tools for Your Phishing Simulation
There are several commercial and open-source solutions available to conduct phishing tests effectively. The right choice depends on your organization’s size, budget, and security maturity.
Popular Phishing Simulation Platforms
GoPhish (Open-Source)
- Free, open-source phishing simulation tool.
- Allows full customization of email templates, landing pages, and tracking.
- Self-hosted on-prem or in a cloud VM.
Microsoft Attack Simulator (M365 Defender)
- Integrated into Microsoft 365 Defender for organizations using Exchange Online Protection (EOP).
- Simulates credential phishing and malware delivery scenarios.
- Provides built-in user training integration.
KnowBe4 Phishing Security Test
- Industry-leading phishing awareness platform.
- Pre-built phishing templates based on real-world threats.
- Automated employee training modules post-failure.
PhishMe by Cofense
- Focuses on behavioral phishing awareness training.
- Integrates with SOC workflows for threat intelligence feedback.
- Gamification elements to engage users in phishing education.
Proofpoint Security Awareness
- AI-driven phishing simulations.
- Adaptive learning based on employee performance.
- Integration with email security tools for real-time phishing reporting.
For maximum control, GoPhish is ideal for cybersecurity teams that want to fully customize phishing campaigns without vendor restrictions. However, enterprise solutions (KnowBe4, Proofpoint, Cofense) automate much of the process and provide structured awareness training.
Designing Realistic Phishing Scenarios
A phishing simulation must replicate real-world tactics used by attackers to properly assess employee susceptibility.
Key Elements of a Realistic Phishing Email
Sender Spoofing & Domain Similarity
- Use typosquatting domains (micros0ft.com instead of microsoft.com).
- Leverage legitimate-looking sender addresses (it-support@company[.]com).
Urgency & Psychological Triggers
- Authority-based attacks: “CEO needs your urgent response.”
- Fear-based attacks: “Your account will be locked in 24 hours.”
- Curiosity-based attacks: “You’ve won a free gift card!”
Payloads & Landing Pages
- Credential Harvesting: Fake login pages mimicking O365, Google, VPN portals.
- Attachment-Based Attacks: Malicious PDFs or Office macros prompting for logins.
- Malware Simulations: Harmless executables that trigger endpoint detection & response (EDR) alerts.
Bypassing Email Security
- URL Encoding Tricks: hxxps://secure-login[.]google[.]com@phishingsite[.]com
- Base64 Encoding for payload obfuscation.
- HTML Smuggling Techniques: Embedding JavaScript to execute payloads locally.
A well-crafted phishing email should be indistinguishable from real malicious emails seen in the wild. Avoid generic or poorly formatted attempts, as users will spot them instantly.
Setting Up and Running the Phishing Campaign
mail Infrastructure Setup
- Use a separate mail server or cloud SMTP service (AWS SES, Mailgun, or SendGrid) to send test emails.
- Register custom phishing domains and configure them with realistic MX, SPF, DKIM, and DMARC records.
- Ensure that phishing emails can bypass internal filters (whitelist within security tools for test purposes).
Target List Selection
- Group employees by departments, seniority, and security awareness levels.
- Simulate real-world attack patterns (e.g., HR impersonation targeting new hires, finance-themed attacks for accounting teams).
Landing Pages & Credential Capture
- Clone login portals using GoPhish templates or custom HTML/CSS.
- Capture input fields and redirect users to an internal security awareness page.
- Use multi-step authentication forms to increase realism.
Monitoring and Analytics
- Track open rates, click-through rates, credential submissions, and reporting behavior.
- Heatmap analysis of which departments are most vulnerable.
- Benchmark results against industry phishing benchmarks.
Post-Campaign Training & Remediation
Immediate User Feedback & Training
- Instant Pop-Up Messages: Redirect users who fall for phishing to an awareness page explaining the attack.
- Micro-Learning Modules: Short 5-minute training videos based on specific phishing scenarios.
Reporting & Continuous Improvement
- Identify repeat offenders who consistently fall for phishing and require additional training.
- Provide detailed reports to CISO & security teams for policy adjustments.
- Implement automated phishing reporting tools like Outlook Report Phishing button to track user engagement.
Adjusting Email Security Policies
- Fine-tune email security solutions (Proofpoint, Mimecast, Microsoft Defender for Office 365) to catch emerging phishing tactics.
- Deploy AI-driven anomaly detection for real-time phishing alerts.
- Strengthen Zero Trust access policies to prevent credential misuse from successful phishing attacks.
An effective in-house phishing campaign isn’t just about testing employees—it’s about creating a culture of cybersecurity awareness while continuously improving your defenses. By leveraging powerful phishing simulation tools, crafting realistic attack scenarios, and implementing structured user training, organizations can significantly reduce the risk of real phishing attacks.
By continuously testing and training, your organization stays one step ahead of cybercriminals, turning your workforce into the first line of defense against phishing attacks.
