Red teaming can be challenging especially when simulating real-world attacks like QR code phishing (“quishing”) within a tightly defined scope. How do you credibly launch a phishing campaign without wanting to know the specific targets, exposing sensitive information, or putting unintended users at risk?

This session offers a behind-the-scenes look at how our team tackled these constraints. We will dig into some opensource tools that can be used and some custom tweaks that we made to make it more secure / believable and the pitfalls you can hopefully avoid.

We will walk you through our attack chain: (1) Creating a phishing poster, (2) Using a customized EvilGinx instance to verify the scope, (3) Creating a believable landing page for our targets, and (4) Lessons learned and possible automated attacks.