Run any Skill in Manus with one click

$pwd:

phish-overview

Name: Phish Overview
Author: PurpleAILAB

// Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.

Run Skill in Manus

$ git log --oneline --stat

stars:4,187

forks:826

updated:May 28, 2026 at 10:02

SKILL.md

readonly

name	phish-overview
description	Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.
metadata	{"subdomain":"phish","tags":"phishing, evilginx, gophish, modlishka, social-engineering, mfa-bypass","mitre_attack":"T1566, T1566.001, T1566.002, T1078, T1539, T1621","gated_by_conops":"phishing_engagement"}

Phishing / Social Engineering Skill Catalog

Gating: every skill in this catalog refuses to execute unless ConOps declares phishing_engagement=true. The Soundwave planner's phishing-engagement template generates this flag along with:

Sender domains (must be operator-owned).
Target population scope (which AD groups, which email domains).
Deconfliction window (operator-SOC notification cadence).
Out-of-band failsafe contact for the SOC.

Playbooks

Skill	Use for
`/skills/standard/phish/gophish-campaign/SKILL.md`	GoPhish API: create user/group, template, landing page, campaign
`/skills/standard/phish/evilginx2-phishlet/SKILL.md`	Author and deploy a phishlet; capture session cookies past MFA
`/skills/standard/phish/modlishka-proxy/SKILL.md`	Modlishka 2FA bypass — real-time token relay
`/skills/standard/phish/o365-token-replay/SKILL.md`	Replay captured O365 access tokens via TokenTactics
`/skills/standard/phish/teams-meeting-bombing/SKILL.md`	Teams external-meeting OAuth flow abuse
`/skills/standard/phish/qr-code-phishing/SKILL.md`	Quishing — QR codes on physical artifacts, mobile-only landing
`/skills/standard/phish/voice-phish-vish/SKILL.md`	Pretexting + AI voice cloning for helpdesk SE (very restricted RoE)
`/skills/standard/phish/deconfliction-handshake/SKILL.md`	SOC notification protocol; "this is a test" headers; rollback

Infrastructure pattern

[Target inbox] -> [NGiNX reverse proxy on attacker domain]
                  ├─ /login → Evilginx2 phishlet (MFA bypass + session cap)
                  └─ /landing → GoPhish (campaign tracking + analytics)

Notes:

The NGiNX layer is for OPSEC: blue-team URL classifiers see one domain; internally we route to phishlet vs landing based on path / referer.
TLS certs from Let's Encrypt with acme.sh — keep ACME challenges off the same path the phishlet uses.
DKIM/SPF/DMARC must be correctly set on the sender domain or modern inboxes drop the mail. Soundwave's phishing template walks the operator through DNS setup.

Deconfliction

Each engagement gets a magic header (X-Decepticon-Eng: <slug>) on every outbound mail. The SOC's mail-flow rule allow-lists that header so blue-team can identify simulated phishing from real attack traffic. Without this, phishing tests collide with real IR cases.

Failsafe

If the operator's session is terminated or the SOC requests an immediate stop, the phishing infrastructure must wind down within 5 minutes:

gophish_pause_campaign halts new mail.
evilginx_disable_phishlet returns 502 on the phishlet.
dns_failover_to_safe repoints the sender domain to a static "this was a test, contact your security team" page.

These steps are codified as the phishing_failsafe skill, which the operator can invoke with one bash command.

related-skills.json

same repository

mobile-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.

2026-05-284.2k

dfir-overview.md

from "PurpleAILAB/Decepticon"

Use to close the Offensive Vaccine loop on the defender side. The Detector agent produces Sigma / YARA rules from offensive operations; this catalog validates those rules against real memory dumps, event logs, and forensic artifacts using Volatility 3, plaso, and sigma-cli. Without this catalog, detection rules are theoretical.

2026-05-284.2k

ics-overview.md

from "PurpleAILAB/Decepticon"

Use when the target is an industrial control system or operational technology network running Modbus, BACnet, S7Comm/S7Comm Plus, DNP3, OPC-UA, or any PLC/HMI/SCADA stack. Engagements MUST set RoE flag industrial_safety_critical=true; this catalog gates every write-scope operation behind explicit operator confirmation regardless of HITL middleware.

2026-05-284.2k

iot-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement target is IoT, embedded Linux, RTOS, or any device reachable via UART/JTAG/SWD or by extracting its firmware. Covers firmware acquisition, binwalk extraction, filesystem mounting, default-credential hunting, bootloader attacks, wireless protocol sidebands (BLE, Zigbee, Z-Wave, LoRaWAN, sub-GHz).

2026-05-284.2k

osint-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement requires passive reconnaissance only — no packets to the target's authoritative infrastructure. Splits off from the Recon agent so bug-bounty and pre-engagement work can run with outbound-only network policy. Maltego, Shodan, Censys, Hunter.io, breach-data lookups, GitHub code search, Wayback Machine archives, certificate transparency, BGP/ASN mapping.

2026-05-284.2k

supply-chain-overview.md

from "PurpleAILAB/Decepticon"

Use when the engagement scope includes supply-chain attack simulation — typosquatted package publication, dependency confusion, GitHub Actions secret mining, internal mirror poisoning, OAuth-app impersonation, or vendor portal credential abuse.

2026-05-284.2k

package.json

"author": "PurpleAILAB"

"repository": "PurpleAILAB/Decepticon"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	phish-overview
description	Use ONLY when the engagement's ConOps explicitly declares phishing_engagement=true. Covers GoPhish campaign management, Evilginx2 reverse-proxy MFA bypass, Modlishka live credential capture, and the deconfliction handshake with SOC / incident response.
metadata	{"subdomain":"phish","tags":"phishing, evilginx, gophish, modlishka, social-engineering, mfa-bypass","mitre_attack":"T1566, T1566.001, T1566.002, T1078, T1539, T1621","gated_by_conops":"phishing_engagement"}

Phishing / Social Engineering Skill Catalog

Gating: every skill in this catalog refuses to execute unless ConOps declares phishing_engagement=true. The Soundwave planner's phishing-engagement template generates this flag along with:

Sender domains (must be operator-owned).
Target population scope (which AD groups, which email domains).
Deconfliction window (operator-SOC notification cadence).
Out-of-band failsafe contact for the SOC.

Playbooks

Skill	Use for
`/skills/standard/phish/gophish-campaign/SKILL.md`	GoPhish API: create user/group, template, landing page, campaign
`/skills/standard/phish/evilginx2-phishlet/SKILL.md`	Author and deploy a phishlet; capture session cookies past MFA
`/skills/standard/phish/modlishka-proxy/SKILL.md`	Modlishka 2FA bypass — real-time token relay
`/skills/standard/phish/o365-token-replay/SKILL.md`	Replay captured O365 access tokens via TokenTactics
`/skills/standard/phish/teams-meeting-bombing/SKILL.md`	Teams external-meeting OAuth flow abuse
`/skills/standard/phish/qr-code-phishing/SKILL.md`	Quishing — QR codes on physical artifacts, mobile-only landing
`/skills/standard/phish/voice-phish-vish/SKILL.md`	Pretexting + AI voice cloning for helpdesk SE (very restricted RoE)
`/skills/standard/phish/deconfliction-handshake/SKILL.md`	SOC notification protocol; "this is a test" headers; rollback

Infrastructure pattern

[Target inbox] -> [NGiNX reverse proxy on attacker domain]
                  ├─ /login → Evilginx2 phishlet (MFA bypass + session cap)
                  └─ /landing → GoPhish (campaign tracking + analytics)

Notes:

The NGiNX layer is for OPSEC: blue-team URL classifiers see one domain; internally we route to phishlet vs landing based on path / referer.
TLS certs from Let's Encrypt with acme.sh — keep ACME challenges off the same path the phishlet uses.
DKIM/SPF/DMARC must be correctly set on the sender domain or modern inboxes drop the mail. Soundwave's phishing template walks the operator through DNS setup.

Deconfliction

Failsafe

If the operator's session is terminated or the SOC requests an immediate stop, the phishing infrastructure must wind down within 5 minutes:

gophish_pause_campaign halts new mail.
evilginx_disable_phishlet returns 502 on the phishlet.
dns_failover_to_safe repoints the sender domain to a static "this was a test, contact your security team" page.

These steps are codified as the phishing_failsafe skill, which the operator can invoke with one bash command.

phish-overview

Phishing / Social Engineering Skill Catalog

Playbooks

Infrastructure pattern

Deconfliction

Failsafe

More from this repository

More from this repository

Phishing / Social Engineering Skill Catalog

Playbooks

Infrastructure pattern

Deconfliction

Failsafe