Frequently asked questions
Common questions about Phishing Club.
What is Phishing Club?
Phishing Club is an open source phishing platform you run on your own infrastructure. It covers simulation, AiTM proxy attacks, remote browser phishing via CDP, device code phishing and full campaign management in one platform. Built for red teams, organizations running security awareness programs and security providers.
How do I install it?
A single binary is available for AMD64 and ARM64 on Linux. The CLI installer sets up the systemd service and automatic TLS per domain. See the install guide for the full walkthrough.
What are the system requirements?
See the requirements section in the user guide. Most setups run fine on a 1 to 2 vCPU VPS with 2 GB RAM. Running concurrent remote browser sessions increases resource use significantly.
What attack techniques does Phishing Club include?
Four techniques. Phishing simulation sends email campaigns with custom pages and per recipient tracking. AiTM proxy captures credentials, session cookies and tokens and bypasses MFA. Remote browser phishing runs Chromium server side over CDP while the victim interacts with a page you design. Device code phishing captures OAuth access and refresh tokens. Each technique works standalone or as part of a campaign.
Where can I find ready made proxy configs or remote browser scripts for Microsoft 365, Google and similar services?
Phishing Club does not ship with ready-made configurations for specific targets like Microsoft 365 or Google. It is a framework and you bring your own. The proxy guide and remote browser guide walk you through building them from scratch.
What delivery methods are available?
SMTP for standard mail delivery. API delivery for any custom HTTP endpoint with configurable method, headers, payload and response validation. Manual delivery where you copy or print per recipient links for physical or in-person simulations. OAuth providers can be attached to API senders for delivery via Microsoft Graph API or similar services.
Where is data stored?
All data is stored on your own infrastructure in a SQLite database. Assets, attachments and certificates are stored as files on disk. There are no external calls, telemetry or SaaS dependencies.
Are there any outbound connections?
The only outbound connection is to GitHub to check for new releases. This can be disabled for offline or sensitive deployments.
Can I run multiple domains?
Yes. Each domain gets automatic TLS via Let's Encrypt or a self signed certificate. Proxy configurations provision and manage their own domains automatically.
Can I manage multiple client companies?
Yes. Multiple companies per instance with per-company data separation. Company data, recipients and campaigns are scoped to each company. Shared templates and assets are available across companies. Per company export and a whitebox mode for less technical operators are included.
Can security providers deliver phishing services to clients?
Yes. Multitenancy and data isolation make Phishing Club suited for MSSPs and red team providers running campaigns for multiple clients from a single instance. The AGPL v3 license allows commercial use without licensing fees.
What security features does the admin panel have?
TOTP two factor authentication, Microsoft Entra ID SSO, IP allowlist for admin access, IP bound sessions and strict same site cookie enforcement.
What license does Phishing Club use?
AGPL v3. You can use, run and modify it freely. If you modify Phishing Club and run the modified version as a service, AGPL requires you to make your modifications available to users interacting with it over the network. Running it unmodified, or building a separate application that communicates with it over HTTP, does not trigger that requirement. A commercial license is available if you need to modify the source and keep those changes private.
Can I use it commercially?
Yes. The AGPL v3 license allows commercial use. Security providers and MSSPs can run it for clients without licensing fees. The commercial license is needed if you modify Phishing Club's source code and want to keep those modifications private.
Where can I get support?
Community support via Discord and GitHub issues. For commercial support contact hello@phishing.club.