Notable Enhancements

Over time, this fork grew beyond what I initially set out to build and now includes more changes than would fit in a single article. Below are a few highlights that had the most practical impact.

Multi-Vector Campaign Support

Traditional phishing simulations tend to revolve around email. And while that still works, real-world attacks have clearly moved beyond a single vector.

Anglerphish expands the campaign engine to support:

• Native SMS campaigns (Twilio & Vonage support) — following the same familiar workflow as email campaigns, but adapted for SMS delivery.
• QR code campaigns — generated dynamically through a simple placeholder parameter, enabling seamless embedding into emails, landing pages, or documents.
• HTTP Basic Authentication landing flows — replacing traditional HTML landing pages with a browser-native authentication prompt for infrastructure-style scenarios.
• Generic campaigns for off-channel distribution (QR posters, offline delivery, internal messaging, etc.) — allowing fully hostable, trackable landing pages to be generated and shared through virtually any medium.
• MFA simulation with OTP tracking (Sent / Verified / Failed) — integrated directly into the existing campaign flow and enabled through landing page configuration, without requiring a separate campaign type.

The MFA functionality is not designed to replicate full real-time interception frameworks such as Evilginx. Instead, it leverages integrated email and SMS flows to simulate realistic multi-step authentication scenarios within the same platform.

Of course the possibilities of integrations are endless and there’s still room to expand!

Campaign Orchestration at Scale

One of the most frustrating parts of working with Gophish during larger engagements was orchestration.

There’s no “save as draft” workflow. Each campaign must be launched or scheduled before you can move on. And if you realize something needs adjusting after launch, the only option is to delete and recreate it from scratch.

That friction led to the idea of Campaign Sets — a way to prepare and manage multiple campaigns before launching anything.

Campaign Sets allow multiple campaigns (Email and SMS) to be grouped and configured together. Each campaign can maintain its own settings, while shared parameters — such as landing pages, URLs, or launch schedules — can be defined across the entire set.

Most importantly, sets can be saved as drafts. You can iterate, review, and refine before executing — making multi-scenario assessments significantly easier to plan and manage.

Once launched, campaigns behave exactly as they normally would and remain individually accessible for monitoring and reporting.

Reporting Support

Reporting is often one of the most time-consuming parts of phishing engagements — not because it’s complex, but because it’s repetitive.

Exporting CSVs, building charts, and formatting results into client-ready reports quickly becomes a manual and time-consuming process.

To address this, I added a dedicated Reports to Anglerphish. Campaign results can now be exported directly as structured Word or Excel reports.

These reports may not replace fully customized deliverables, but they provide clean, presentation-ready content that significantly reduces manual post-processing time.

Reports can be generated for individual campaigns or entire campaign sets. Privacy options allow partial anonymization of sensitive data — such as email addresses, phones or IPs — making it easier to share results with clients or external stakeholders.

The reporting engine is powered by Python and includes built-in environment checks to ensure required dependencies are available, streamlining setup.

Security Improvements Within the Platform

Gophish so far had no database encryption, leaving exposed SMTP or IMAP configuration passwords, and of course target passwords when collected.

Anglerphish introduces optional, application-level AES-256-GCM encryption for sensitive database fields, including SMTP credentials, SMS provider keys, IMAP passwords, and captured data.

Encryption is controlled via environment configuration, remains fully backward compatible, and includes migration support — allowing existing deployments to transition to an encrypted state without breaking functionality.

“Skipped” includes rows where there are no event details (i.e., Email Sent, Campaign Created)

Additional Improvements

Beyond the features highlighted above, Anglerphish includes several refinements, additions, and quality-of-life improvements such as:

• URL templates for reusable complex structures
• Email, SMS, and Landing Page template previews for quick content review
• Enhanced IMAP monitoring, supporting multiple configurations and tracking both email Replies and Reported messages
• Expanded template variables for dynamic personalization
• In-app documentation for newly introduced features

All being well, I may share more detailed breakdowns of specific features in the future and continue expanding the platform.

The complete feature set is documented in the GitHub repository. If this sounds interesting, I encourage you to explore it and experiment with the fork yourself. If you find it useful, a star on GitHub is always appreciated.