GoPhish Stinks Maybe

on March 26, 2022 under phishing

2 minute read

I’m on a mission to procrastinate! Instead of studying for, purchasing, and earning the eJPT, I have decided to get some phishing in first.
I am trying out GoPhish, Phishing Frenzy, and King Phisher so that I can know how they work, how to break and block them, and as an excuse to jump start a tiny BEEF journey.

I’ve spun up and connected GoPhish to a tenant and have been testing out it’s capabilities.

One thing I know from working in Email Security is that I need to be able to do two main things:

Edit the From Header
Edit the Reply-To Header

This is what everyone does, as it circumvents SPF/DMARC checks and bypasses the need for optical attacks from look-alike domains.
The From header is the friendly-from, which reads as ‘’’ Firstname Lastname [email protected] ‘’’ and is really just a human readable name. You can put whatever you want in there. This is how BEC’s initially happen. Email comes in from [email protected] (per the SENDER header) but says Joe Blow, CEO [email protected] per the from header.
And the reply-to field can be whatever, and is a lower priority to check as far as email security solutions are concerned. Unless you use Cisco stuff, they check everything. But the friendly from is typically used as a handler type address where you can interactively email back and forth with an attacker. Reply-To usually isn’t visible to the user in most email clients. If reply-to != sender then sometimes it is intentionally made visible to the user per the email client. Looking at you, Google.

And apparently in GoPhish these are prepopulated instead of user-editable from within the webgui. Tally up one stink-point for each header! That’s two stink-points right there.

There is a way to add headers in GoPhish’s Sending Server configuration. I believe I may be able to manually input the headers here, but will have to wait to test that out and report back. Adding headers like that is cool because I can not only lock down the conenction between the GoPhish Server and Tenant using an X-OUTBOUND-AUTH token, I can potentially add my own Spam Confident Levels, as well as some other pre-canned X-Headers from other email security appliances and try to bypass in that way.
We shall see how it goes. I will mess with GoPhish for about one more week, then decommission and move on to the next.

OSINT, GoPhish

I feedback.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!