Run any Skill in Manus with one click

phishing-overview

Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.

Run Skill in Manus

Stars4,323

Forks860

UpdatedJune 8, 2026 at 07:58

Source

PurpleAILAB

PurpleAILAB/Decepticon

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

File Explorer

7 files

SKILL.md

readonly

name	phishing-overview
description	Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.
metadata	{"subdomain":"phishing","when_to_use":"phishing, social engineering, initial access, gophish, evilginx2, mfa bypass, lure, pretext, o365 oauth, lookalike domain, deconfliction","mitre_attack":["T1566","T1566.001","T1566.002","T1598","T1656"],"tags":["phishing","social-engineering","initial-access","evilginx","gophish"]}

Phishing / Social-Engineering Skill Catalog

Gating. Every skill here refuses to execute unless the engagement RoE authorizes a phishing engagement and the blue-team deconfliction handshake (lure-deconfliction) has completed. Phishing real employees without written authorization is a crime — the RoE + deconfliction ack are the operator's legal coverage.

Playbooks

Skill	Use for
`/skills/standard/phisher/pretext-engineering/SKILL.md`	Design the pretext + target shortlist from OSINT (LinkedIn / Hunter.io)
`/skills/standard/phisher/gophish-campaign/SKILL.md`	GoPhish API: groups, email templates, landing pages, campaign launch + tracking
`/skills/standard/phisher/evilginx2-proxy/SKILL.md`	evilginx2 phishlet authoring; capture session cookies past MFA
`/skills/standard/phisher/o365-credential-harvest/SKILL.md`	O365 / Entra OAuth device-code + token capture and replay
`/skills/standard/phisher/lookalike-domain/SKILL.md`	Punycode / lookalike domain + DNS + TLS provisioning
`/skills/standard/phisher/lure-deconfliction/SKILL.md`	MANDATORY pre-send handshake with the blue-team contact

Infrastructure pattern

[Target inbox] -> [NGiNX reverse proxy on attacker domain]
                  ├─ /login   → evilginx2 phishlet (MFA bypass + session capture)
                  └─ /landing → GoPhish (campaign tracking + analytics)

The NGiNX layer is OPSEC: blue-team URL classifiers see one domain; internal routing splits phishlet vs landing by path / referer.
TLS via Let's Encrypt + acme.sh; keep ACME challenges off the phishlet path.
SPF / DKIM / DMARC must be correct on the sender domain or modern inboxes drop the mail. Soundwave's phishing template walks the operator through DNS setup.

Deconfliction (mandatory)

Every outbound mail carries an engagement header (X-Decepticon-Eng: <slug>) the SOC allow-lists so simulated phishing is distinguishable from a real attack. The lure-deconfliction skill is a hard gate before the first send — skipping it is a critical RoE violation.

Failsafe

On operator stop or SOC request, wind down within 5 minutes: pause the GoPhish campaign, return 502 on the evilginx2 phishlet, and repoint the sender domain to a static "this was an authorized test — contact your security team" page.

More from this repository

same repository

evilginx2-proxy

PurpleAILAB/Decepticon

Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.

2026-06-084.3k

gophish-campaign

PurpleAILAB/Decepticon

Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.

2026-06-084.3k

lookalike-domain

PurpleAILAB/Decepticon

Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.

2026-06-084.3k

o365-credential-harvest

PurpleAILAB/Decepticon

Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts.

2026-06-084.3k

pretext-engineering

PurpleAILAB/Decepticon

Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.

2026-06-084.3k

apt29

PurpleAILAB/Decepticon

APT29 (Cozy Bear / Midnight Blizzard, SVR) adversary-emulation playbook — malware-light cloud-identity espionage: no-MFA password spray, OAuth consent/token abuse, Golden SAML, mailbox collection over residential proxies. Use when emulating APT29 against an M365/Entra/AWS-identity estate. Triggers on: 'emulate APT29', 'Cozy Bear', 'Midnight Blizzard', 'NOBELIUM', 'OAuth abuse', 'cloud identity espionage', 'Golden SAML'.

2026-06-084.3k

name	phishing-overview
description	Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.
metadata	{"subdomain":"phishing","when_to_use":"phishing, social engineering, initial access, gophish, evilginx2, mfa bypass, lure, pretext, o365 oauth, lookalike domain, deconfliction","mitre_attack":["T1566","T1566.001","T1566.002","T1598","T1656"],"tags":["phishing","social-engineering","initial-access","evilginx","gophish"]}

Phishing / Social-Engineering Skill Catalog

Playbooks

Skill	Use for
`/skills/standard/phisher/pretext-engineering/SKILL.md`	Design the pretext + target shortlist from OSINT (LinkedIn / Hunter.io)
`/skills/standard/phisher/gophish-campaign/SKILL.md`	GoPhish API: groups, email templates, landing pages, campaign launch + tracking
`/skills/standard/phisher/evilginx2-proxy/SKILL.md`	evilginx2 phishlet authoring; capture session cookies past MFA
`/skills/standard/phisher/o365-credential-harvest/SKILL.md`	O365 / Entra OAuth device-code + token capture and replay
`/skills/standard/phisher/lookalike-domain/SKILL.md`	Punycode / lookalike domain + DNS + TLS provisioning
`/skills/standard/phisher/lure-deconfliction/SKILL.md`	MANDATORY pre-send handshake with the blue-team contact

Infrastructure pattern

[Target inbox] -> [NGiNX reverse proxy on attacker domain]
                  ├─ /login   → evilginx2 phishlet (MFA bypass + session capture)
                  └─ /landing → GoPhish (campaign tracking + analytics)

The NGiNX layer is OPSEC: blue-team URL classifiers see one domain; internal routing splits phishlet vs landing by path / referer.
TLS via Let's Encrypt + acme.sh; keep ACME challenges off the phishlet path.
SPF / DKIM / DMARC must be correct on the sender domain or modern inboxes drop the mail. Soundwave's phishing template walks the operator through DNS setup.