When your business outgrows Gophish

Key Limitations Addressed

Multi-client handling

Gophish is not built to handle multiple clients on the same instance. It can be done, but the dashboard statistics become unusable, and there is an increased risk of accidentally sending the wrong content to wrong recipients. An alternative would be to run one instance per client; however, this is cumbersome when reusing material across multiple clients and in maintenance.

When building Phishing Club, a core building feature was the ability to use it as a MSP/MSSP by providing both shared and individual company views. The shared view is for resources that can be used in all company views, such as templates and recipients (e.g., test/QA recipients). The company view provides isolated management for that company with custom-tailored templates, recipients, and statistics.

Login Features and Security

One of the limitations I encountered with Gophish was the lack of basic login features. We added MFA, Entra ID single sign-on, IP allowlisting from the application level, and throttling to slow down brute force attacks.

I really cannot recommend enough that the administrative dashboard and API of your phishing solution is isolated, firewalled, and only available in-house or by VPN.

Delivery Options

Gophish delivers a very simple start and end time and then sorts delivery in the way the recipients were first imported, which is often from A to Z. While this is excellent, when continuously delivering phishing campaigns, it becomes obvious that a phishing simulation is unfolding. Most cloud SaaS phishing simulations also offer the ability to only send on specific days and within specific hours, such as during work hours. In Phishing Club, we implemented three types of delivery scheduling to handle a multitude of delivery cases, along with an option to specify if the order is random or set by recipient field like position or department.

Privacy and Compliance

Compliance and privacy are very important. While doing some cleanup in a Gophish database, I noticed that recipients are orphaned and never cleaned up. As recipients are formed by groups, deleting a group does not remove the recipient nor their results in campaigns. From a company or security provider perspective, this is critical, as they could be storing information about former employees long after they have left their company, without the ability to know or do anything about it without laborious work in a production database.

Campaign Lifetimes

To improve campaign lifetime management, we added the ability to set a close and/or anonymization date when creating a campaign. This way, it no longer requires manual actions to clean up campaigns, and the full lifecycle can be set at once.

Insights and Analytics

To gain more insight into each company and recipient, we added a campaign dashboard that gives a high-level overview of upcoming campaigns along with statistics. We added a recipient page with statistics and information such as events related to a single user. We also added repeat offender statistics.

Multiple Domains with Automatic TLS

The first thing I implemented in Gophish was the ability to handle multiple domains via an API integration with Caddy. This was a huge upgrade to be able to manage domains directly in Gophish. We created this feature natively in Phishing Club, so domain management is baked in, without requiring a proxy such as Caddy, and made it possible to also host a website at the domain, which can help in creating more believable phishing setups.

Multi-stage Phishing Scenarios

In most phishing software, you set a landing page - the website that is visited when a victim clicks the link. For Phishing Club, we wanted to allow up to three pages to be linked together as this would allow us create better campaigns and more easily reuse pages across different campaigns. In terms of red team operations, it also made it easy to create a onboarding landing page that could contain various bot checks before funneling the user to the right phishing page.

Asset handling

Managing campaign assets through SSH or FTP became cumbersome over time. In Phishing Club, we simplified this by adding direct asset management through the web interface - allowing you to upload and delete assets for emails, websites, and landing pages with ease.