Sep 18, 2024 3:48:00 PM | Adversarial Simulation | gophish | DNS tool Phishing Email For Success – Part 4

Welcome to part 4, my Phishing friends. Thanks for returning to our Phishing For Success series! As you probably know by now, I’m a Senior Threat Emulation Specialist here at White Oak Security and spent lots of time doing Red Team Operations and Social Engineering. In our part 1 and part 2 posts we addressed some of the common pitfalls and risks of conducting a phishing campaign. Part 3 introduced a phishing tool, autosneakphish, which can help automate and make it more efficient for you. 

In this part 4 blog, we will focus on practical steps to create phishing templates and landing pages that will evade Proofpoint. Examples used throughout this post are not from a company I have phished – any real attack data has been redacted.

Creating Phishing Email Templates

I remember how much time I spent writing my phishing templates from scratch on my first few phishing engagements – constantly going back to the drawing board and trying to make little alterations. The best starting point for a phishing campaign is to find some kind of online form hosted by your target that you are reasonably certain will result in receiving an email from them, which will provide you with the initial formatting and style details to get started, as in the following example:

screenshot by White Oak Security shows a email formatting template from a campaign for phishing email

Then we wait for an email to arrive:

phishing email test screenshot by White Oak Security

This is perfect. I downloaded the email and opened it in a text editor. Next, you just need to extract the HTML document from the downloaded email.

---redacted---
<tr>

                                                                <td align="left" valign="top" width="45"><img src="http://image.e.embracepetinsurance.com/lib/fe8813727d6d077474/m/1/clock_gray_65x65.png" alt="" style="display:block;" border="0" width="45"></td>

                                                                <td width="23"><img src="http://image.e.embracepetinsurance.com/lib/fe8813727d6d077474/m/1/spacer_img.gif" alt="" style="display:block;" border="0" height="1" width="1"></td>

                                                                <td style="font-family:Arial, sans-serif; font-size:18px; line-height:23px; color:#414042;" align="left">Don&rsquo;t wait! Protect Balto today.</td>

                                                              </tr>

---redacted---

Successful Phishing Email

For this blog, we teamed up with a great client who kindly let me send a phishing email to them to verify we have evaded Proofpoint and Microsoft’s email security measures.

Our first attempt made it to their inbox!

succesful phishing email sent to White Oak Security

Our handy dandy GoPhish Dashboard proves it was opened:

gophish recent campaigns screenshot by White Oak Security

What does Proofpoint think of our friendly BBQ raffle?

proofpoint screenshot email details screenshot by white oak security

As shown above, we received a score of zero. Now we are cooking with gas!

ACHTUNG! – Do not send a lot of emails very fast or it will get nabbed by Proofpoint!!!

How To Create A Good Landing Page

Creating a good landing page follows the same basic guidelines.

First, you need to find a good template for your pretext. We are going with a free BBQ sweepstakes pretext, so this is what I found for that:

how to create a good landing page for phishing

With some simple modifications, we end up with this:

modified landing page screenshot from white oak security

What does VirusTotal think of my landing page?

Total virus program does not flag our landing page phishing email campaign screenshot by white oak security

The key is to remove as little as possible from the landing page you cloned. Leave all the silly little bits that are no longer relevant, especially the links that point to well-known resources or ads.

Let us take a look at a landing page that I found in an email that made it to my spam filter:

example of phishing scam landing page white oak security tester recieved

What does VirusTotal think of this landing page?

scores a 7 on the total virus program for malicious and sketchy

Pretty weak sauce landing page….

Is That Really All It Takes?

Yes and no. You might get lucky and not include any words that make Proofpoint mad. Just remember that you have to ensure you are not throwing in too many keywords that might get you caught. All decent email security tools use a combination of heuristic and static analysis.

An email from IT Support that asks you to reset your password might be more likely to be caught by Proofpoint than asking people to log in to be added to a BBQ raffle. 😉

Phishing Email For Success Conclusion

In this blog, we have laid out a very simple and extremely effective method of building email templates and landing pages that will evade security controls, including Proofpoint! This method is so simple that it surprised me how effective it is. The key to this method as I have mentioned above is that you want to remove as little code as possible from your HTML clones. This blog concludes our series Phishing for Success. Our goal was to empower leaders and technical teams to successfully implement phishing testing for their companies. Doing this well can lead to a very significant strengthening of security posture! Good luck everyone.

MORE FROM OUR TECHNICAL BLOG

Cyber Advisors specializes in providing fully customizable cyber security solutions & services. Our knowledgeable, highly skilled, talented security experts are here to help design, deliver, implement, manage, monitor, put your defenses to the test, & strengthen your systems - so you don’t have to.

Read more from our technical experts...

Phishing For Help?

Written By: Jeffrey Green