This project documents a controlled phishing simulation conducted as part of a cybersecurity class. The goal was to design, deploy, and analyze a credential-harvesting phishing campaign using GoPhish, cloned landing pages, and a realistic social engineering pretext.

Ethical & Legal Notes:
• Fully authorized, instructor-approved simulation
• No real individuals or organizations targeted
• All accounts and infrastructure were isolated test environments
• Participants provided opt-in consent and were debriefed afterward
• No real credentials or personal data were collected

Objective: Simulate a realistic phishing attack designed to harvest credentials through a spoofed “security alert” email.

Behavioral Goal:

• Trigger the user to perform a password reset on a cloned login page
• Analyze password creation patterns
• Evaluate susceptibility to urgency-based pretexts
• Study UI elements that increase or decrease trust

Security Value:

• Understand how credential-harvesting kits operate
• Study SMTP reputation and email delivery
• Analyze cloned login page behavior
• Identify detection opportunities in real environments

Simulated User Persona:

• Role: Graduate research assistant in cloud infrastructure
• Interests: AWS, homelabs, cloud security
• Behavior: Likely to trust professional-platform security alerts

Environmental Vulnerability: The persona relies heavily on professional networking platforms, making a spoofed “security alert” email a plausible attack vector.

Privacy & Scope: All reconnaissance was performed on fictional accounts created solely for this lab.

Attacker Infrastructure:

• Cloudflare-protected web server
• Backend database for storing captured test credentials
• 1:1 cloned password reset page

Delivery Mechanism:

• SMTP relay using a high-reputation provider
• Spoofed “Security Team” sender alias
• Urgency-based pretext: “Password breach detected — reset required”

Exploit Workflow:

• HTML email with embedded malicious link
• Link redirects to cloned reset page
• Credentials captured and logged
• User silently redirected to the legitimate site

Design Process:

• Triggered a real password reset to study legitimate formatting
• Extracted and cleaned the HTML
• Used AI to refine layout and structure
• Replaced branding, text, and URLs with malicious equivalents

Final Email Characteristics:

• Subject: “Action Required: Your password may have been compromised”
• Sender Alias: “Security Team”
• Source: Test Gmail account
• Social Engineering: Urgency + fear
• Malicious link embedded in “Reset Password” button

Design Inspiration: A cloned version of a professional networking site’s password reset page.

Technical Stack:

• HTML5 structure
• CSS3 styling
• JavaScript for form handling and redirects

AI Usage: Used Gemini 3 to generate initial HTML/CSS, refine layout, and improve UI realism.

Final Output Capabilities:

• Accept username + new password
• Log submissions to backend
• Redirect user to legitimate site

Email Security:

• SMTP reputation heavily influences delivery success
• SPF/DKIM/DMARC can be bypassed with clever aliasing
• HTML emails remain a major attack vector

User Behavior:

• Urgency and fear are highly effective
• Professional-platform alerts are trusted more

Detection Opportunities:

• Cloudflare-hosted phishing pages can still be fingerprinted
• Redirect chains often reveal malicious intent
• Email metadata exposes spoofing attempts

Mitigation Strategies:

• Enforce MFA
• Use password managers to detect domain mismatches
• Implement browser-based phishing protection
• Train users to inspect sender domains and URLs

Running a controlled phishing simulation was one of the most eye-opening exercises in my homelab. It demonstrated how effective even basic social engineering can be — and how defenders must think like attackers to build stronger protections.

If you're interested in replicating this ethically, start with open-source tools like GoPhish or King Phisher, always obtain explicit consent, and debrief participants immediately.

(Last updated: January 2026)