What are you trying to do?

When I talk to people about Phishing Club, I want to find out what their objective is: are they using it for phishing simulation (whitebox phishing) internally or for clients? Or are they looking to use it as part of their red team engagements (blackbox phishing)? Sometimes it is both! However, in many cases people new to phishing might try to aim for the middle, a place where we often miss the target completely unless it is tied to a very specific goal and test, which it rarely is.

White Box Phishing: "Phishing Simulation"

This is what most people think of when they hear "phishing simulation". It is what all phishing SaaS providers (KnowBe4 etc.) offer. A platform which sends out phishing emails, very often to large groups of users and then uses the results for different purposes such as compliance, training, awareness and so on. Everything is allowlisted and set up to bypass your actual defenses (except the humans).

Key Characteristics

  • Allowlisted infrastructure: Emails and domains are pre-approved to bypass security controls
  • Broad targeting: Often sent to all employees or large organizational groups
  • Immediate feedback: Users are typically informed they have been "phished" immediately after falling for the simulation
  • Long-lasting infrastructure: Domains and infrastructure can be reused across many campaigns.

Primary Use Cases

White box phishing simulations are most often used for:

  • Awareness training effectiveness: Tracking whether security awareness programs are improving user behavior
  • Risk demonstration: Showing leadership the potential human attack surface within the organization
  • Report training: Teaching users to identify and report suspicious communications
  • Compliance requirements: Phishing simulation is often seen as part of awareness training

Black Box Phishing: "Red Team Phishing"

Blackbox phishing takes the same approach as real phishing. It seeks to bypass all security controls and compromise the account by getting credentials, intercepting sessions, delivering malware or other nefarious purposes. No allowlisting, no special treatment. You have to get past the same email filters, detection systems, and security controls that real attackers face. None of the SaaS platforms can do this - it is way outside what they are willing or able to provide.

Key Characteristics

  • No allowlisting: Must bypass all security controls just like real attackers
  • Realistic attacks: Uses the same techniques as actual threat actors
  • Targeted approach: Often focuses on specific high-value targets or small groups
  • Covert operations: Victims are not informed immediately that they have been compromised
  • Advanced techniques: May include reverse proxy attacks, downgrade attacks and so on to bypass MFA or other advanced security measures
  • OpSec and Disposable infrastructure: Risk of domains and infrastructure getting shutdown due to violation of terms of use.

Primary Use Cases

Black box phishing is most often used for:

  • Red team operations: For gaining initial access
  • Risk assessment: Understanding what attackers can actually achieve in your environment
  • Security control validation: Testing whether email security, user training, and incident response is working together
  • Threat actor simulation: Replicating specific attack patterns relevant to your industry or threat model

What about greybox phishing?

I mostly see greybox phishing performed as a failed or suboptimal simulation. A scenario could be where the phisher/company wants to see how their employees react to phishing emails (whitebox) and tries to circumvent email security controls (blackbox), which most often results in a badly designed and executed campaign. Often the delivery gets wrecked because of the high number of recipients, the contents of the email or the noise it generates. It fails at both testing the security controls in a real way and providing useful data for the organization about how employees react to it.

The issue is that these two goals fundamentally conflict with each other. If you want to test user behavior across a large group, you need predictable delivery - which means allowlisting your infrastructure. But if you want to test email security controls, you need to operate like a real attacker without any special treatment, and as quietly as possible.

Despite this, there are still lots of good reasons and well executed tests that require the use of a mixed approach, but using a mixed approach really deserves consideration about what you are trying to achieve and if it is really required.