Settings

Profile

The profile page handles username, password, MFA and API key management.

Phishing Club - Profile
User profile management page
User Profile Management Options
Section Description
Account Details Modify username and display name
Password Security Update account password - this invalidates active sessions
Multi-Factor Authentication Enable TOTP authenticators. Recommended for all accounts
API Access Management Configure API tokens for programmatic access

Multi-Factor Authentication

Setup multi-factor for the account by clicking Setup MFA

Multi factor authentication applies to password login. An account that signs in only through SSO has no password, and any multi factor requirement is enforced by the identity provider.

Phishing Club - Multifactor
Multi-factor authentication setup interface

Complete the setup by scanning the QR code with your authenticator app (such as Google Authenticator, Authy, or Microsoft Authenticator) and then enter the generated verification code.

Important: After setup, you will receive backup recovery codes. Store these codes securely as they provide account access if your authenticator device becomes unavailable.

Should administrative access be lost, it can be recovered in the CLI by running -recover

API Key

Phishing Club - API Key
API key generation modal

Accessing the API using the key can be done by adding a X-API header with the API key as the value.

Note: The API is undocumented at the moment.

Sessions

Session management shows all active login sessions for your account. Each login creates a unique session that maintains your authentication state. This page enables monitoring of concurrent access, identification of unauthorized sessions, and session invalidation.

Phishing Club - Sessions
Active sessions overview
Session Information Display
Field Description
IP Address Source IP address associated with the session
Current Session Indicator Indicator showing which session corresponds to your current browser session

Users

Create, modify and delete administrative users. Use different accounts to help with audit logging and handling multiple API keys.

Phishing Club - Users
User administration page

Force immediate logout for specific users by utilizing the Delete all sessions function, which invalidates all active sessions.

Create user

Phishing Club - Create user
User creation page
User Account Configuration
Field Description and Requirements
Display Name Name for user identification in interfaces, reports, and audit logs
Email Address Email address for user identification, notifications, and password recovery
Username Login identifier for authentication. Should follow organizational naming conventions
Initial Password Randomly generated password for initial account access. Users should change this upon first login

Companies

Phishing Club supports handling multiple different companies within the same instance. This means that all views such as the dashboard, emails and etc. are affected by if you are viewing it in the Shared View or in a Company View.

Using this feature helps with analytics that match the company, and segregates company data so it is less likely to that you send company 1 campaign to company 2. All resources that are created in the Shared View is available inside all Company Views. This makes it an ideal space to generic campaign templates and etc. that can be reused for all companies or create a test recipient group.

Phishing Club - Companies
Multi-tenant organization administration

Data Export

Export organizational data for backup, compliance, or migration purposes. Use Export Shared to download all global and shared resources that are available across multiple organizations within your instance.

Phishing Club - Export company action
Organization data export options

Access organization-specific data exports through the Actions menu for individual companies, enabling data extraction while maintaining data isolation and privacy controls.

Create company

Phishing Club - Create company
Create company modal
Organization Configuration
Field Description and Usage
Organization Name Identifier for the client organization, used for data isolation, reporting, and administration within the multi-tenant environment

Switch company

Navigate between different companies is done by using the Change Company button in the header.

Phishing Club - Switch company button
Switch company button
Phishing Club - Switch company modal
Switch company modal

The currently active company context is displayed in the top navigation menu, showing which company data and campaigns you are currently managing:

Phishing Club - Current company
Current organization context indicator

Settings

The system settings provide control over platform-wide configuration.

Phishing Club - Settings
System settings page
System Configuration Categories
Category Configuration Options and Impact
Single Sign-On Integration Configure SSO authentication with Microsoft 365
General System Settings Configure upload limits and repeat offender thresholds
System Logging Adjust logging verbosity levels for troubleshooting, performance monitoring, and technical support
Data Import/Export Manage data operations including imports. The import format is the export format of Templates project
Display Mode Change if you want to use Phishing Club in Whitebox or Blackbox mode.
Whitebox mode shows fewer menus and options.
Backup Create an backup or download a backup.
Obfuscation template Lets you change how Obfuscated landing pages are generated. The output is already obfuscated when the option is enabled on a campaign, however this lets you wrap and customize it.
PDF Reports Enable or disable campaign PDF report generation. Disabled by default — requires Chromium and system dependencies.
Report Template Edit the HTML template used when generating campaign PDF reports.
Browser Cache Wipe the cached Chromium binary used for PDF generation and remote browser sessions.

PDF Reports

PDF report generation is disabled by default. It runs a headless Chromium process on the server to render the HTML report template to PDF.

Automated delivery

Reports can be emailed automatically when a campaign finishes. Set up a report delivery under Settings, Reports with a recipient group, the sending SMTP configuration, and the report email subject and body. This is the global default, and a company can override it with its own report configuration. You can also send a report on demand from a campaign.

System dependencies

The Chromium binary requires shared system libraries that may not be present on minimal server installs. On Debian/Ubuntu install them with:

apt-get install -y \
  libnss3 libatk1.0-0 libatk-bridge2.0-0 libcups2 \
  libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 \
  libxfixes3 libxrandr2 libgbm1 libasound2

AppArmor

On systems where AppArmor restricts unprivileged user namespaces, Chromium cannot create the namespaces it needs for its internal sandbox. To lift the restriction persistently, create /etc/sysctl.d/99-chrome-sandbox.conf containing:

kernel.apparmor_restrict_unprivileged_userns=0

Then apply it:

sysctl --system

Chromium binary

If no system binary is configured, one is downloaded automatically on first use. The first report generation will take longer while the download completes.

Report Template

The report template controls the appearance of campaign PDF reports. A default template is included. Click Edit Template to open the HTML editor and customize it.

The template uses Go template syntax with access to all campaign statistics and recipient data. See Campaigns: Report for the full list of available variables.

Each company can have its own report template. Configure it from the company Actions menu. When a company has no template, the global one is used as a fallback.

Note: The report template section is only visible in the global context. Switch out of a company context to access it.

Browser Cache

Phishing Club downloads and caches a Chromium binary for PDF report generation and remote browser sessions. Click Wipe Browser Cache to delete the cached binary. The next PDF generation or remote browser session will download a fresh copy.

Import

The import system enables import of assets, landing pages, email templates, and other resources.

Download a example import file to understand the required structure: Phishing Club Import Example.zip

Import Process

Data import steps:
  1. File Upload: Select and upload your structured .zip file using the import form interface
  2. Context Selection: Choose whether to import data into the current organization context or apply globally across all organizations

Template Configuration File

Each template directory requires a data.yaml configuration file that defines the template structure, content relationships, and metadata for import processing:

name: "Professional Template Name"
pages:
  - name: "Landing Page Name"
    file: "pages/landing.html"
emails:
  - name: "Email Template Name"
    file: "emails/template.html"
    envelope from: "noreply@example.com"
    from: "Display Name <noreply@example.com>"
    subject: "Compelling Email Subject Line"

Import Results Summary

Upon completion, the system provides an import summary detailing:

  • Created Items: New resources successfully added to the platform
  • Updated Items: Existing resources modified with new content or settings
  • Skipped Items: Unchanged resources that already exist in the current state
  • Error Reports: Information about any processing failures or validation issues

Single Sign-On

Phishing Club - Single Sign-On
Single Sign-On configuration interface for Microsoft Azure integration

Configure Single Sign-On integration with Microsoft Azure Active Directory to streamline user authentication and leverage existing organizational identity management infrastructure.

User Provisioning

Important: SSO never creates new accounts. A user can only sign in with SSO if an administrator has already created that user in Phishing Club with the same email address the identity provider reports. If the email does not match an existing user, the login is rejected. To grant someone access, create the user first, then have them sign in with SSO.

Login Methods

When a user signs in through SSO, Phishing Club matches them to an existing account by email and records the identity provider's subject id for reference.

Whether password login is available is controlled by the Exclusive SSO login setting, not by whether a user has used SSO:

  • Exclusive SSO off - an account signs in with whichever method it has set up. A user with both a password and SSO can use either.
  • Exclusive SSO on - password login is disabled for everyone while SSO is active, so SSO is the only way in until exclusive login is turned off again.

A user can still change their password from the profile page while SSO is linked. Changing the password and being allowed to sign in with it are independent, the latter is governed by the exclusive setting.

Accounts upgraded from older versions: earlier versions removed the password the first time an account signed in via SSO. Those accounts have no password and remain SSO only. To give such an account a password again, an administrator with server access runs the account recovery command, which sets a new password and clears the SSO link.

Security Boundary

Access is controlled inside Phishing Club: only users an administrator has already created can sign in, so an unknown account in your directory cannot authenticate or gain access. For accounts that sign in through SSO, the strength of that sign in is managed at the identity provider. As defense in depth we recommend you also restrict the application at the provider, for Entra ID:

  • In Azure Enterprise App settings, set "Assignment required" to Yes under Properties
  • Add specific users or groups under the "Users and groups" tab
  • Configure conditional access policies and MFA requirements in Azure AD

Azure Application Registration

Begin SSO configuration by registering a new application in your Microsoft Azure portal to establish the authentication relationship between Phishing Club and your organization's identity provider.

Phishing Club - SSO - Azure app registration
Azure application registration interface

Configure the Redirect URI field with your Phishing Club instance URL: your-domain.tld/api/v1/sso/entra-id/auth. This URL can be copied from the SSO setup modal.

Extract the authentication identifiers from Azure and input them into Phishing Club:

  • Copy the Application (client) ID and paste into the Client ID field
  • Copy the Directory (tenant) ID and paste into the Tenant ID field
Phishing Club - SSO - Azure app client and tenant id
Azure application overview showing client and tenant identification

Create authentication credentials by clicking Add a certificate or secret to generate the authentication token required for API communication between systems.

Phishing Club - SSO - Azure app registration
Azure certificates and secrets interface

Generate a new client secret and copy the displayed Value into the Secret field in Phishing Club. Important: This value is only displayed once and cannot be retrieved later.

Phishing Club - SSO - Azure app registration
Azure client secret configuration

Complete the SSO configuration by clicking Enable SSO to activate authentication integration. Users will now be able to authenticate using their organizational Microsoft 365 credentials to access Phishing Club.

Generic OpenID Connect

Besides Microsoft Entra ID you can connect any standard OpenID Connect provider, such as Keycloak, by choosing Generic OpenID Connect as the provider in the SSO configuration. Instead of a tenant you supply the provider's Issuer URL, and Phishing Club discovers the rest of the endpoints automatically. The fields are:

  • Issuer URL - the base URL of the provider, for example a Keycloak realm
  • Client ID and Client Secret from the client you register at the provider. The secret is optional, a public client without a secret works because PKCE is always used
  • Redirect URL - copy it from the form, it ends in /api/v1/sso/oidc/auth
  • Scopes - defaults to openid profile email
  • ACR Values - optional. When set, Phishing Club requests that authentication context from the provider and rejects the login unless the returned acr claim matches, which is how you enforce multi factor authentication at the provider

PKCE (RFC 7636) is always used for the authorization code exchange, no configuration is needed.

The email returned by the provider must be marked verified (the email_verified claim). An unverified email is rejected, because a provider that allows self set, unverified addresses could otherwise be used to match another user's account. As with Entra ID, only users that already exist in Phishing Club can sign in.

Exclusive SSO login

Enable Exclusive SSO login in the SSO configuration to turn off username and password login entirely while SSO is active. This applies to both Entra ID and OpenID Connect.

Exclusive SSO only affects interactive username and password login. API keys keep working, so automation and integrations are not interrupted when you enable it.

Break glass: if the identity provider is misconfigured and no one can sign in, local login can be restored at the server level. Set local_login_breakglass to true under the authentication section of config.json and restart the server. Because this requires filesystem access to the server it is a deliberate recovery path, not something a normal user can change. It defaults to false so that exclusive SSO is genuinely exclusive once enabled.