Authorized Red Team Phishing: Templates, GoPhish and Ethical Guardrails

A client signed the Rules of Engagement on Friday, and by Monday morning 1,847 employees received an email cloning the timesheet portal. Within 38 minutes: 312 clicks, 89 credentials harvested, zero SIEM alerts. That is the kind of operation that separates authorized phishing from criminal fraud: letterhead contract, execution window, and a CISO phone number that can kill everything in 30 seconds if anything escalates. Red team phishing is not about tricking humans, it is about measuring the human attack surface with the same rigor we measure the network surface in Advanced Nmap: NSE Scripts for Internal Recon in a Simulated Corporate Lab.

Before any send, the authorization document must list allowed domains, source IP ranges, send windows, exclusion criteria (C-suite, HR in active labor litigation, underage interns), and what happens to captured credentials. Skip this and the work becomes the Coalfire-Iowa 2019 case, where two pentesters got arrested mid-engagement because written scope did not cover physical intrusion. Serious red team writes personal OPSEC before operational OPSEC, and the material in OPSEC for Security Researchers: Building a Personal Threat Model applies directly here because the operator ends up carrying client secrets across the engagement boundary.

GoPhish went viral in 2016 and remains the swiss army knife of simulation because it ships REST API, tracking pixel, cloneable landing pages, and CSV reports in a 25 MB Go binary. Typical architecture: dedicated VPS with a never-before-used IP, domain registered at least 30 days ago (ideally a typosquat of the client domain like rnicrosoft-login.com), SPF/DKIM/DMARC configured through Postfix or SendGrid, and Let's Encrypt on the landing. Without IP warm-up, your campaign dies in Microsoft Defender before reaching the inbox. Treat the infrastructure as production-grade, with the same discipline as Building C2 Infra with Sliver in an Isolated Lab for Defensive Research.

Templates that work in 2026 are not Nigerian prince anymore. The Proofpoint top three last quarter: a DocuSign signature expiring in 24 hours, a DHL parcel held at customs with a $4.99 fee, and a Microsoft Teams invite from a real director (lifted off LinkedIn) calling an urgent meeting. Every template must render identically in Outlook 2021, Gmail Web, and iOS Mail, which requires inline tables, embedded CSS, and images on a reputable CDN. The initial-access vector can still be an attachment, and the trade-offs across macro, LNK, and ISO are dissected in Simulated Initial Access: Macros, LNK and ISO in an Isolated Windows 11 Lab with concrete detection examples.

Landing pages are where 70% of teams blow it. Capturing a password in plaintext through an HTTP form is amateur hour and a GDPR violation even inside an authorized scope. The ethical pattern: hash the password client-side with SHA-256 plus an engagement salt, store only the first eight hex characters of the digest to confirm collection, and immediately redirect to a training page explaining the simulation. Log user-agent, IP, timestamp, and click-to-submit delta, but never the full credential. That data feeds the improvement loop described in Purple Team in Practice: Building a Red vs Blue Feedback Loop, where the blue team turns every click into a detection rule.

The part nobody talks about at conferences: psychological fallout. In a real 2024 campaign with 4,200 targets, 11 employees took stress leave after learning they had been 'caught', and two sued the employer. Post-campaign debriefs need an occupational psychologist on call, a same-day CEO communication, and the success metric cannot be raw click rate. It must be quarter-over-quarter reduction with comparable cohorts. Operators also need to shield their own identity during the engagement, as detailed in Digital Compartmentalization: Separate Identities Without Leaking Metadata, because the operator inevitably learns sensitive internal facts about the target.

For teams just starting, the honest path is: build the internal lab first (GoPhish plus Mailhog plus five test accounts), validate templates against your own Outlook, run a dry-run with the client security team watching live, and only then fire in production. Wire a kill switch that drains the campaign in 60 seconds through the API. Document every decision in a signed changelog, because six months later an auditor will ask why you mailed a specific person. Takeaway: authorized phishing is 20% technique, 30% paperwork, and 50% empathy for whoever clicks. Without all three, do not send.