Phishing Club is a comprehensive phishing simulation and man-in-the-middle (MITM) framework tailored for security professionals, red teams, and companies conducting internal phishing simulations. It offers advanced capabilities beyond traditional phishing tools, focusing on multi-stage attack flows and sophisticated evasion techniques.
Key Features:
- Multi-stage phishing flows: Design complex phishing scenarios with multiple interaction points.
- Reverse proxy phishing: Capture sessions to bypass multi-factor authentication (MFA).
- Domain proxying: Mirror content from target sites for realistic lures.
- Flexible scheduling: Control campaign delivery with time windows, business hours, or manual execution.
- Advanced delivery: Support for SMTP configurations and custom API senders with OAuth.
- Recipient tracking & analytics: Monitor groups, import CSV data, track repeat offenders, and view detailed event histories.
- Automation: Integrate with other tools via HMAC-signed webhooks and a REST API.
- Multi-tenancy: Segregated client handling for service providers.
- Security features: MFA, SSO, session management, and IP filtering.
- Operational tools: In-app updates, CLI installer, and configuration management.
MITM and Red Team Features:
- Full control: Modify and capture requests and responses independently.
- DOM rewriting: Dynamically alter content using CSS/jQuery-like selectors or regex.
- Path and param rewriting: Modify URL paths and query parameters on the fly.
- Dynamic obfuscation: Evade static detection with dynamically obfuscated landing pages.
- Evasion & deny pages: Customize pre-lure evasion and deny pages for bots or evaded visitors.
- Access control: Implement default deny-lists and advanced filtering using JA4, CIDR, and geo-IP.
- Browser impersonation: Mimic JA4 fingerprints in proxied requests.
- Response overwriting: Shortcut proxying with custom responses.
- Forward proxying: Utilize HTTP and SOCKS5 proxies for origin control.
- Visual Editor: Easily set up proxy configurations with a visual interface.
- Import compromised OAuth tokens: Leverage stolen tokens for further phishing campaigns.
Phishing Club is ideal for cybersecurity students, researchers, and professionals looking to conduct hands-on phishing exercises in a safe, controlled environment, or for red teams aiming to achieve initial access through advanced social engineering tactics.
