Run any Skill in Manus with one click

pretext-engineering

Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.

Run Skill in Manus

Stars4,323

Forks860

UpdatedJune 8, 2026 at 07:58

Source

PurpleAILAB

PurpleAILAB/Decepticon

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

SKILL.md

readonly

name	pretext-engineering
description	Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.
metadata	{"subdomain":"phishing","when_to_use":"pretext, lure design, target shortlist, phishing scenario, osint for phishing, sender persona, spearphishing","mitre_attack":["T1598","T1598.002","T1598.003","T1585"],"tags":["phishing","social-engineering","osint","pretext"]}

Pretext Engineering

The pretext is the campaign. A technically perfect evilginx2 proxy behind an implausible story converts nobody and burns the engagement. Design the story first, from real OSINT, then pick the smallest target set that proves the objective.

Inputs

plan/roe.json: permitted pretext classes, out-of-scope users, VIP exclusions, data_handling.
OSINT handoff (from the OsintOperator): employee list, org chart, email format, tech stack, current events (mergers, migrations).

Build the pretext

Pick a scenario the target already expects. The best pretexts ride a real process: an in-progress SSO/MFA migration, a benefits open-enrollment window, a shared-document notification from a tool the org actually uses (read the tech stack from OSINT).
Choose the sender persona. Internal IT, a known SaaS vendor, or a real internal sender — but ONLY impersonate an internal employee if plan/roe.json:permitted_actions allows it.
Define the call to action. One click → the lure domain. Keep it single-step.
Set timing. Match send-time to the scenario (e.g. Monday 09:00 for an "IT maintenance this week" lure) and the engagement opsec_level send rate.

Target shortlist

Start with 1–3 users for the first wave (validate deliverability + detection window before scaling).
EXCLUDE anyone in out_of_scope or flagged vip: true.
Prefer roles that satisfy the objective (e.g. for cloud access, target an engineer with console access, not reception).

Forbidden lure patterns

NEVER promise monetary reward or threaten immediate termination — these spike helpdesk volume and break blue-team coverage.
NEVER use a brand that could be confused with a different customer.

Output

Write plan/phisher/pretext.md (scenario, persona, CTA, send window, target shortlist with rationale) and create the target User nodes in the knowledge graph. This file is the input to gophish-campaign / evilginx2-proxy and to the mandatory lure-deconfliction handshake.

More from this repository

same repository

evilginx2-proxy

PurpleAILAB/Decepticon

Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.

2026-06-084.3k

gophish-campaign

PurpleAILAB/Decepticon

Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.

2026-06-084.3k

lookalike-domain

PurpleAILAB/Decepticon

Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.

2026-06-084.3k

o365-credential-harvest

PurpleAILAB/Decepticon

Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts.

2026-06-084.3k

phishing-overview

PurpleAILAB/Decepticon

Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.

2026-06-084.3k

apt29

PurpleAILAB/Decepticon

APT29 (Cozy Bear / Midnight Blizzard, SVR) adversary-emulation playbook — malware-light cloud-identity espionage: no-MFA password spray, OAuth consent/token abuse, Golden SAML, mailbox collection over residential proxies. Use when emulating APT29 against an M365/Entra/AWS-identity estate. Triggers on: 'emulate APT29', 'Cozy Bear', 'Midnight Blizzard', 'NOBELIUM', 'OAuth abuse', 'cloud identity espionage', 'Golden SAML'.

2026-06-084.3k

Pretext Engineering

Inputs

plan/roe.json: permitted pretext classes, out-of-scope users, VIP exclusions, data_handling.

OSINT handoff (from the OsintOperator): employee list, org chart, email format, tech stack, current events (mergers, migrations).

Build the pretext

Pick a scenario the target already expects. The best pretexts ride a real process: an in-progress SSO/MFA migration, a benefits open-enrollment window, a shared-document notification from a tool the org actually uses (read the tech stack from OSINT).

Choose the sender persona. Internal IT, a known SaaS vendor, or a real internal sender — but ONLY impersonate an internal employee if plan/roe.json:permitted_actions allows it.

Define the call to action. One click → the lure domain. Keep it single-step.

Set timing. Match send-time to the scenario (e.g. Monday 09:00 for an "IT maintenance this week" lure) and the engagement opsec_level send rate.

Target shortlist

Start with 1–3 users for the first wave (validate deliverability + detection window before scaling).

EXCLUDE anyone in out_of_scope or flagged vip: true.

Prefer roles that satisfy the objective (e.g. for cloud access, target an engineer with console access, not reception).

Forbidden lure patterns

NEVER promise monetary reward or threaten immediate termination — these spike helpdesk volume and break blue-team coverage.

NEVER use a brand that could be confused with a different customer.

Output