A red team phishing engagement is fundamentally different from a regular phishing simulation. It is not about statistics on the click behavior of many employees – but about the question of whether a motivated attacker can gain access to your systems through phishing.
How We Operate
We target a small number of carefully selected individuals. There is no whitelisting on the mail gateway, no advance notice. Conditions mirror a real attack.
- Research via social media and public sources to prepare scenarios
- Initial contact through a plausible pretext to gather information
- Setup of dedicated mailer infrastructure with own mail server for reliable delivery
- Professional phishing pages with Cloudflare Turnstile to block automated scanners
- MFA token interception for Microsoft 365 with Evilginx Professional – currently the most effective method for bypassing multi-factor authentication
Why This Matters
Regular phishing campaigns are mostly automated and whitelisted on the mail gateway. They measure how many employees react to standardized scenarios. This has value – but does not show what a targeted attacker can achieve.
Experience from our engagements shows a credential rate of approximately 10% for targeted attacks. This means: with 10 sent emails, at least one successful credential capture is statistically expected. In an organization with hundreds of employees, a single compromised account is sufficient.
Result
You receive a detailed report with the course of each attack scenario, the results achieved, and concrete recommendations for improvement. The report shows where your defenses hold and where gaps exist.
Contact us for an initial consultation.