Skip to content

Latest commit

 

History

History
27 lines (25 loc) · 1.52 KB

Questions.md

File metadata and controls

27 lines (25 loc) · 1.52 KB

Phishing Engagement Questions

To ask before the start of a phishing engagement.

  • What is your idea of a phishing engagement?
  • What are you looking to measure?
  • How many campaigns are you looking for us to conduct?
  • What types of engagements are you looking for us to conduct? (Cred. capture, payload, text-only, hybrid)
  • Do you implement security awareness training?
  • Will you be testing detection and response?
  • Will you be testing solutions around email security?
  • How many phishing engagements have been performed? When?
  • What were your last 3 to 5 pretexts?
  • Will you be whitelisting the domain if there are no categorized ones available?
  • Do you want us to try one non-categorized domain and one that is? (Need a few days for categorization)
  • Do you want us to try a freshly obtained domain and an older one?
  • Will you require greenlighting the pretext?
  • Is there a contact we can test the pretext with beforehand?
  • Will there be more than one pretext and group of targets?
  • Can we reply to targets that email us back?
  • Can we use the captured credentials for further compromise?
  • What do you consider compromise? Getting Domain Admin, getting PII, payment data, etc.?
  • Can we test the payload before the engagement?
  • Do you need us to craft different levels of payloads? (Common to custom/complex)
  • Will you be providing the list of employees or do you expect us to find them via OSINT gathering?
  • Can any employee be targeted or are we targeting a specific department/location?
  • Are any folks Out of Scope? (NOT RECOMMENDED)