Phishious: open-source Secure Email Gateway evaluation toolkit designed for red-teamers

by do son · December 16, 2021

What is Phishious?

Phishious is an open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers and developed by the team at https://caniphish.com. Phishious provides the ability to see how various Secure Email Gateway technologies behave when presented with phishing material.

📬 Secure Email Gateways Supported

🧐 Why use Phishious?

We’re not joking when we say that Phishious is the world’s first in Secure Email Gateway evaluation. There is currently no other tool available (free or paid) that provides you the ability to scan your phish against an array of Secure Email Gateways. The closest utility is VirusTotal, however, this specifically focuses on Malware detection and not Spam/Phish detection.

Through the use of Phishious, you’ll be able to freely test your phishing material against the world’s most popular Secure Email Gateways. This is an invaluable capability as it provides you an indication of how successful your phishing campaign may be.

🔩 How does Phishious work?

Phishious exploits a common misconfiguration where many organisations broadcast overly sensitive information in email bounce responses and non-delivery reports. The sensitive information typically comes in the form of original untampered inbound message headers.

By feeding this information into Phishious, it can extract the relevant information and detect when an email is likely to end up in a target’s junk folder or be completely blocked by the SEG. When we scale this across many targets, we’re able to aggregate this information to provide a holistic view on how various SEGs behave when delivered certain phishing material.

To better understand email bounce attacks and the resulting issues, please read the following Blog Post, watch this BSides Canberra presentation or watch the below introduction video on youtube.