Chapter 1 โ The Human Attack Surface
The most sophisticated technical defences can be bypassed by a single employee clicking a link. Social engineering exploits human psychology โ authority, urgency, fear, and trust โ rather than software bugs. In real engagements, social engineering is often the fastest path to initial access.
Chapter 2 โ Phishing Campaigns
# GoPhish โ open source phishing framework
# Key components:
# 1. Sending profile (SMTP config)
# 2. Landing page (credential capture or malware download)
# 3. Email template (the lure)
# 4. Target group (email list)
# 5. Campaign tracking (open, click, and submit rates)
Chapter 3 โ Spear Phishing & Whaling
Spear phishing targets specific individuals with personalised lures built from OSINT. Whaling targets executives (CEOs, CFOs). The personalisation dramatically increases success rates. Reference real events: "your AWS invoice from yesterday", "your Zoom meeting at 3pm", "invoice INV-2025-0342 attached".
Chapter 4 โ Vishing & Smishing
Vishing (voice phishing) involves calling the target and posing as IT, a bank, or a vendor. The goal is to request a password reset, MFA code, or VPN credentials verbally. Smishing uses SMS messages with urgent links. Both exploit the social pressure of a real-time interaction.
Chapter 5 โ Pretexting Scenarios
Build a convincing backstory before any interaction. Common pretexts: IT support performing an upgrade, new employee needing help getting set up, external auditor verifying compliance, vendor arriving to service equipment. The best pretexts are impossible to verify quickly.
Chapter 6 โ Physical Intrusion
Tailgating (following someone through a secure door), badge cloning (RFID/NFC), and impersonation (delivery person, maintenance crew). Once inside: deploy a network implant, access unlocked workstations, photograph sensitive documents, or plug in a USB attack device.
Chapter 7 โ Evilginx & Credential Harvesting
# Evilginx2 โ reverse proxy phishing (bypasses TOTP-based MFA)
# Sits between victim and the legitimate site
# Captures session cookies, not just passwords
# Works even when the target uses 2FA
# Setup a phishlet for Microsoft 365
evilginx
config domain yourdomain.com
config ip YOUR_SERVER_IP
phishlets hostname o365 login.yourdomain.com
phishlets enable o365
lures create o365
Chapter 8 โ Security Awareness Defence
Effective defences: regular phishing simulation programmes with post-click training, hardware FIDO2 security keys (resistant to Evilginx-style attacks), zero-trust architecture requiring verification for every request, callback verification procedures (always call back on a known number, never a number provided by the caller), and a strong reporting culture that rewards employees who flag suspicious contact.