Frequently asked questions
Common questions about Phishing Club.
What is Phishing Club?
Phishing Club is an open source phishing platform you run on your own infrastructure. It covers simulation, AiTM proxy attacks, remote browser phishing via CDP, device code phishing and full campaign management in one platform. Built for red teams, organizations running security awareness programs and security providers.
How do I install it?
A single binary is available for AMD64 and ARM64 on Linux. The CLI installer sets up the systemd service and automatic TLS per domain. See the install guide for the full walkthrough.
What are the system requirements?
See the requirements section in the user guide. Most setups run fine on a 1 to 2 vCPU VPS with 2 GB RAM. Running concurrent remote browser sessions increases resource use significantly.
What attack techniques does Phishing Club include?
Four techniques. Phishing simulation sends email campaigns with custom pages and per recipient tracking. AiTM proxy captures credentials, session cookies and tokens and bypasses MFA. Remote browser phishing runs Chromium server side over CDP while the victim interacts with a page you design. Device code phishing captures OAuth access and refresh tokens. Each technique works standalone or as part of a campaign.
Where can I find ready made proxy configs or remote browser scripts for Microsoft 365, Google and similar services?
Phishing Club does not ship with ready-made configurations for specific targets like Microsoft 365 or Google. It is a framework and you bring your own. The proxy guide and remote browser guide walk you through building them from scratch.
What delivery methods are available?
SMTP for standard mail delivery. API delivery for any custom HTTP endpoint with configurable method, headers, payload and response validation. Manual delivery where you copy or print per recipient links for physical or in-person simulations. OAuth providers can be attached to API senders for delivery via Microsoft Graph API or similar services.
Where is data stored?
All data is stored on your own infrastructure in a SQLite database. Assets, attachments and certificates are stored as files on disk. There are no external calls, telemetry or SaaS dependencies.
Are there any outbound connections?
The only outbound connection is to GitHub to check for new releases. This can be disabled for offline or sensitive deployments.
Can I run multiple domains?
Yes. Each domain gets automatic TLS via Let's Encrypt or a self signed certificate. Proxy configurations provision and manage their own domains automatically.
Can I manage multiple client companies?
Yes. Multiple companies per instance with full data isolation. Company data, recipients and campaigns are isolated from each other. Shared templates and assets are available across companies. Per company export and a whitebox mode for less technical operators are included.
Can security providers deliver phishing services to clients?
Yes. Multitenancy and data isolation make Phishing Club suited for MSSPs and red team providers running campaigns for multiple clients from a single instance. The AGPL v3 license allows commercial use without licensing fees.
What security features does the admin panel have?
TOTP two factor authentication, Microsoft Entra ID SSO, IP allowlist for admin access, IP bound sessions and strict same site cookie enforcement.
OPSEC and external connectivity concerns?
The only outbound connection Phishing Club makes is to check for new releases on GitHub. This can be configured or disabled for sensitive environments or offline deployments.
What license does Phishing Club use?
AGPL v3. Use, run and modify it freely as long as you publish your modifications under the same license. A commercial license is available for organizations that need to modify the source without publishing their changes.
Can I use it commercially?
Yes. The AGPL v3 license allows commercial use. Security providers and MSSPs can run it for clients without licensing fees. The commercial license is only needed if you want to modify the source code and keep those changes private.
Where can I get support?
Community support via Discord and GitHub issues. For commercial support contact [email protected].