A Complete Guide to Phishing Simulation with Gophish

Phishing remains one of the most effective and widely used attack vectors in modern cybersecurity. For penetration testers and red teams, simulating phishing attacks in a controlled environment is essential to evaluate how well an organization can detect, respond to, and recover from credential harvesting attempts. This guide walks you through a complete phishing simulation setup using Gophish, evilginx2, Mailgun, and AWS EC2, covering everything from infrastructure provisioning to running live campaigns.

If your organization needs a professional phishing assessment conducted by certified experts, Redfox Cybersecurity offers tailored red team engagements designed to expose real-world weaknesses before attackers do.

What Is Phishing and Why Simulate It?

Phishing is a social engineering attack where a malicious actor impersonates a trusted entity to deceive victims into surrendering sensitive information such as login credentials, credit card numbers, or session tokens. Attacks are typically delivered through email, instant messages, or SMS.

Phishing simulation serves a different but equally important purpose: it helps security teams identify how susceptible employees are to real-world attacks, measure the effectiveness of existing email defenses, and build organizational security awareness without the risks of an actual breach.

Why Gophish Is the Go-To Tool for Phishing Simulations

Gophish is a free and open-source phishing framework widely used by penetration testers and red teams. It provides a clean web-based dashboard, campaign management, email template creation, user group targeting, and real-time result tracking. When combined with evilginx2 for session hijacking and Mailgun for reliable email delivery, it forms a powerful and realistic simulation stack.

Tools and Infrastructure Required

Before diving into the setup, gather the following tools and services:

• AWS EC2 (Ubuntu Server instance)
• Amazon Route53 (domain registration and DNS management)
• Gophish (phishing campaign manager)
• evilginx2 (reverse proxy for credential and session capture)
• Mailgun (transactional email sending with SMTP support)

Setting Up the AWS EC2 Instance

Your phishing infrastructure needs a reliable, internet-facing server. AWS EC2 provides a cost-effective way to spin up a Linux instance that can host both Gophish and evilginx2.

Launching the Instance

Log into the AWS Management Console and navigate to the EC2 service. Click Launch Instance and select Ubuntu Server (Free Tier eligible). For the instance type, choose t2.micro, which is sufficient for simulations at this scale.

When prompted to configure key pair access, create a new key pair and download the .pem file. This file is your only means of SSH access, so store it securely. Once downloaded, launch the instance.

Configuring the Security Group

Navigate to EC2 Dashboard and select Security Groups under the Network and Security tab. Create a new security group and add the following inbound rules:

• Port 22 (SSH): for remote terminal access
• Port 53 (DNS): required for evilginx2 domain resolution
• Port 80 (HTTP): for redirect handling
• Port 443 (HTTPS): for TLS-terminated phishing pages
• Port 3333 (Gophish Dashboard): for accessing the Gophish web interface

Assign this security group to your EC2 instance by right-clicking the instance, navigating to Security, and selecting Change Security Groups. Remove the default group and attach your newly created one.

Installing and Configuring Gophish

Connect to your EC2 instance using the AWS web terminal or via SSH using your downloaded key pair. Once inside the terminal, run the following commands to install Gophish from source:

git clone https://github.com/gophish/gophish.git
cd gophish
go build


After a successful build, a binary named gophish will appear in the current directory. Before starting it, update the configuration file to allow external access to the dashboard. Open config.json and replace:

127.0.0.1:3333


with:

0.0.0.0:3333


This change allows you to access the Gophish web interface from your browser using the EC2 public IP. Start Gophish with elevated privileges:

sudo ./gophish


The terminal will display a temporary password on first run. Access the dashboard by navigating to:

https://<your-ec2-ip>:3333

Log in using the credentials displayed in the terminal. You will be prompted to set a new password on first login.

Setting Up Mailgun for Email Delivery

Gophish requires an SMTP server to send phishing emails. Mailgun is a developer-focused email service that provides reliable SMTP delivery with robust domain verification support.

Domain Verification and DNS Configuration

Create a Mailgun account and add your phishing domain under Sending, then Domains. Mailgun will provide DNS records that must be added to your domain configuration in Route53. These typically include TXT records for SPF and DKIM authentication.

After adding the records, return to Mailgun and click Verify DNS Settings. A green tick next to each record confirms successful verification. This step is critical because unverified domains will result in email delivery failures or spam classification.

Generating SMTP Credentials

Navigate to your domain settings in Mailgun and select SMTP. Click Reset Password to generate new credentials and copy the username and password.

Inside Gophish, go to Sending Profiles and click New Profile. Enter the following:

• Name: A label for this sending profile (e.g., Mailgun-Primary)
• From: The sender address (e.g., support@yourdomain.com)
• Host: smtp.mailgun.org:587
• Username: Your Mailgun SMTP username
• Password: Your Mailgun SMTP password

Use the Send Test Email feature to confirm deliverability before running your campaign.

Looking for a team that handles the full engagement end to end? Redfox Cybersecurity delivers comprehensive phishing simulations, social engineering assessments, and red team operations for organizations of all sizes.

Setting Up evilginx2 for Session Hijacking

evilginx2 is a man-in-the-middle attack framework built on a reverse proxy architecture. Unlike traditional phishing pages that simply clone a login form, evilginx2 sits between the victim and the legitimate service. This means it captures not only credentials but also session cookies, effectively bypassing multi-factor authentication (MFA).

This makes evilginx2 particularly relevant for simulating attacks against cloud-first organizations where a valid session token grants access to email, shared drives, VPN configurations, and internal applications.

Installing evilginx2

On your EC2 instance, run the following commands:

git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make


Once compiled, launch evilginx2 from the local directory:

sudo ./bin/evilginx -p ./phishlets/


Configuring Domain and IP

Inside the evilginx2 terminal, configure your phishing domain and EC2 public IP:

config domain yourdomain.com
config ip <EC2-Public-IP>


Configuring DNS A Records in Route53

Navigate to Route53 in the AWS console and create the following A records, all pointing to your EC2 public IP:

• yourdomain.com
• *.yourdomain.com (wildcard for subdomains)

Enabling the Office 365 Phishlet

evilginx2 uses phishlets, which are YAML-based configuration files describing how to proxy specific services. To target Microsoft Office 365 authentication:

phishlets hostname o365 login.microsoft.yourdomain.com
phishlets enable o365


Verify the phishlet is active:

phishlets


The output should show o365 listed with its status as enabled.

Creating Lures and Generating Phishing URLs

In evilginx2, a lure is a uniquely identifiable URL that routes a victim through the reverse proxy to the legitimate target site. Create a lure for the o365 phishlet:

lures create o365


This command returns a lure ID (for example, 0). Generate the phishing URL from this lure ID:

lures get-url 0


The output will be a URL similar to:

https://login.microsoft.yourdomain.com/AbCdEfGh


This is the URL you embed in your Gophish email templates. When a victim visits the URL, they are proxied transparently to the real Microsoft login page. Any credentials they enter and session tokens generated are captured by evilginx2.

Monitoring Captured Credentials and Sessions

As victims interact with the phishing URL, their credentials are logged in evilginx2. View all captured sessions with:

sessions


To inspect a specific session in detail:

sessions <session-id>


Captured session tokens can be imported into a browser using cookie editor extensions to authenticate as the victim without knowing their password, even with MFA enabled.

Running a Gophish Phishing Campaign

With SMTP delivery configured and your evilginx2 lure URL ready, you can now build and launch a phishing campaign through the Gophish dashboard.

Creating Target Groups

Navigate to Users and Groups in Gophish and click New Group. Add the email addresses and names of your target users. In a real engagement, this list comes from your rules of engagement document, provided by the client.

Building the Email Template

Go to Email Templates and click New Template. Craft a believable email that mimics a legitimate internal communication or a widely recognized service notification. Common effective themes include:

• Password expiry alerts from IT
• Shared document notifications from OneDrive or SharePoint
• Multi-factor authentication setup requests
• Payroll or HR system access confirmations

Insert your evilginx2 lure URL as the link destination in the email body. Use {{.URL}} as the Gophish tracking placeholder to inject the URL dynamically and track clicks separately. Save the template and proceed to campaign setup.

Launching the Campaign

Navigate to Campaigns and click New Campaign. Configure the following fields:

• Name: A reference label for this campaign run
• Email Template: Select the template you created
• Landing Page: Can be left minimal since evilginx2 handles page rendering
• URL: Your evilginx2 lure URL
• Launch Date: Set to immediate or schedule for a specific time
• Sending Profile: Select your Mailgun profile
• Groups: Select your target user group

Click Launch Campaign. Gophish will begin sending emails. The campaign dashboard provides real-time visibility into email delivery status, open rates, link click rates, and credential submission events.

Analyzing Results and Refining Your Approach

After a campaign concludes, Gophish generates a detailed results report. Correlate this with your evilginx2 session logs to understand:

• What percentage of recipients opened the email
• What percentage clicked the phishing link
• How many submitted credentials
• Which user roles or departments were most susceptible

Most penetration testers run a preliminary test campaign before deploying final payloads. This involves sending a basic test email to a small subset of targets to evaluate whether the email bypasses spam filters and reaches the inbox. If the email is flagged, adjust the sending domain reputation, email template content, or sending profile headers.

Other variables to iterate on include:

• Sender display name and email address format
• Subject line phrasing and urgency framing
• HTML versus plain text email body
• Link anchor text and placement within the email
• Sending time and day of week

Turning Simulation Results Into Security Improvements

A phishing simulation is only as valuable as the follow-up actions it drives. Once you have results, work with the client to:

• Deliver targeted security awareness training to employees who clicked or submitted credentials
• Review and tune email filtering rules based on what passed through defenses
• Evaluate whether endpoint security tools detected any post-click activity
• Recommend MFA solutions resistant to session hijacking, such as FIDO2 hardware keys

Redfox Cybersecurity integrates phishing simulation findings into broader red team reports that provide actionable remediation roadmaps. Contact our team to find out how we can help your organization build a stronger human firewall.

Legal and Ethical Considerations

Phishing simulation must always be conducted under a formal written agreement with the organization being tested. Simulating phishing attacks without explicit authorization is illegal in most jurisdictions. Before any engagement, obtain a signed statement of work and rules of engagement that define the scope, target users, timeline, and notification chain.

Penetration testers must also ensure that captured credentials and session tokens are handled securely, documented properly, and destroyed after the engagement in accordance with the client's data handling policies.

Final Thoughts

Phishing simulation is a critical component of any mature security testing program. By combining Gophish for campaign delivery, evilginx2 for session-level credential capture, Mailgun for reliable SMTP routing, and AWS EC2 for scalable infrastructure, penetration testers can run comprehensive and realistic phishing exercises that expose genuine organizational vulnerabilities.

The techniques covered in this guide mirror those used by real-world threat actors, which is precisely why practicing them in a controlled, authorized environment is so valuable. Each simulation builds organizational resilience, surfaces gaps in email defenses, and drives measurable security improvements.

Redfox Cybersecurity is a global network of expert security consultants combining data-driven, research-based, and manual testing methodologies to deliver robust security solutions. Whether you need a full red team engagement or a targeted phishing assessment, our team is ready to help. Get in touch with Redfox Cybersecurity to scope your next engagement.