FiercePhish – Full-fledged Phishing Framework

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more. The features will continue to be expanded and will include website spoofing, click tracking, and extensive notification options.

FiercePhish - Full-fledged Phishing Framework
FiercePhish – Full-fledged Phishing Framework

Recommended Prerequisites

  • Purchase a domain name to send emails from

This isn’t required, but it is heavily suggested. Phishing campaigns where you spoof an active domain you don’t own are extremely susceptible to being spam filtered (unless the domain’s SPF record is improperly configured). The best way to perform a phishing campaign is by buying a generic domain that can fool someone (“”) or a domain that is very similar to a real domain (“”).

The current functionality with this framework are:

  • FiercePhish URL Prefix – this to change the console URL
  • Phishing Campaigns – allows you to create large phishing campaigns that send emails over whatever length of time you would like. You simply give it an “Email Template”, “Target User List”, and sending schedule and it will take care of the rest.
  • Email Simple Sending – Sometimes all you want to do is send one simple phishing email without the hassle of creating everything needed for a campaign.
  • Catch-all Inbox – allows you to receive emails to the domain you have setup for FiercePhish to use. This is incredibly useful if a phishing target replies to an email or you get a “vacation” message.
  • Email Configuration Check – It can be a hassle to check if all DNS entries are properly configured to bypass spam filters. Luckily, FiercePhish has you covered with the configuration check. It will parse A records, MX records, and SPF records to ensure they are properly configured for you to begin sending emails.
  • Activity Logs – Keeping track of all activity is extremely important for penetration tests and especially phishing exercises.
  • Fast Replacement – Sometimes you will want to kill a server that has been burned by a phishing campaign and stand up a new server. The worst part about that is losing all the data associated with that first server! This framework has an easy Import/Export feature which allows you to quickly export all the data from one server and import it into the new server. It makes standing up new systems and tearing down old systems a breeze. All information is transferred, including Activity Logs.
  • User Management and 2-Factor Authentication.

You can read more and download this framework over here:

Notify of
Inline Feedbacks
View all comments