Spear Phishing

Cobalt Strike's spear phishing tool allows you to send pixel perfect spear phishing messages using an arbitrary message as a template. Go to Attacks -> Spear Phish to open the spear phishing tool.

Set Targets to import a list of targets. You may import a flat text-file containing one email address per line. Import a file containing one email address and name separated by a tab or comma for stronger message customization.

Set Template to an email message template. A Cobalt Strike message template is simply a saved email message. Cobalt Strike will strip unnecessary headers, remove attachments, rewrite URLs, re-encode the message, and rewrite it for you.

Cobalt Strike does not give you a means to compose a message. Use an email client, write a message, and send it to yourself. Most webmail clients include a means to see the original message source. In GMail, click the down arrow next to Reply and select Show original.

You may customize a saved message with Cobalt Strike tokens. Cobalt Strike replaces these tokens when sending an email. The tokens include:

Token Description
%To% The email address of the person the message is sent to
%To_Name% The name of the person the message is sent to. This token is only available when importing a tab-separated file containing a name.
%URL% The contents of the URL field in the spear phishing dialog.

Set Embed URL to have Cobalt Strike rewrite each URL in the message template to point to the embedded URL. URLs added in this way will contain a token that allows Cobalt Strike to trace any visitor back to this particular spear phishing attack. Cobalt Strike's reporting and web log features take advantage of this token. Press ... to choose one of the Cobalt Strike hosted sites you've started.

Set Mail Server to an open relay or the mail exchange record for your target. If necessary, you may also authenticate to a mail server to send your phishing messages.

Press ... next to the Mail Server field to configure additional server options. You may specify a username and password to authenticate with. The Random Delay option tells Cobalt Strike to randomly delay each message by a random time, up to the number of seconds you specify. If this option is not set, Cobalt Strike will not delay its messages.

Configure mail server options
Mail Server Options

Set Bounce To to an email address where bounced messages should go. This value will not affect the message your targets see. Press Preview to see an assembled message to one of your recipients. If the preview looks good, press Send to start your attack.

Cobalt Strike's spear phishing tool sends messages through the team server you're connected to.