Phishing Simulation
Highly customized phishing, spear phishing, and vishing tests.
Phishing by the Raxis Red Team
Every Raxis phishing assessment is built from scratch by our Red Team engineers. No recycled templates, no automated platforms. We show you where your defenses break down and what an attacker could do once they’re in.
Customized Phishing
Controlled phishing using real attacker tactics, from convincing pretexts to credential harvesting. We don’t stop at the click. When scope allows, we use captured credentials to show real impact: account access, lateral movement, and data exposure.
Spear Phishing Testing
Generic phishing catches the careless. Spear phishing catches the careful. Our engineers profile specific targets through OSINT, then craft personalized emails impersonating trusted colleagues, executives, or vendors, using context only a determined attacker would assemble.
Vishing Assessments
Vishing (Voice Phishing) now drives over 60% of phishing-related incident response cases, overtaking email as attackers’ top channel, yet most organizations have never tested for it. Our engineers place live calls impersonating IT support, executives, and vendors, using urgency and authority to extract credentials and MFA codes. No scripts. No robocalls.
What You Get From a Phishing Simulation
Every engagement ends with more than a spreadsheet of click rates. Raxis delivers findings you can act on immediately, from individual risk exposure to organization wide security gaps, with clear remediation guidance at every level.
Why Raxis Phishing?
Phishing is just the door. Our Red Team shows you what’s on the other side.
Phishing For Compliance
Many regulatory frameworks require organizations to assess their vulnerability to social engineering attacks. A Raxis phishing penetration test provides the documentation and evidence you need to satisfy these mandates, while delivering security insights that go far beyond the checkbox.
Raxis Hack Stories
Our stories are based on real events encountered by Raxis engineers; however, some details have been altered or omitted to protect our customers’ identities.
Real-World Phishing Security Test: Credential Harvest to Full Access
Oh, if clicks were wishes. After decades of extended car warranty negotiations and speed dates with Nigerian princes, nearly all organizations remain keenly aware phishing attacks are part of doing business. We’re all human, but it’s the forehead slap moments that seem to sting the most. Maintaining that vigilance while your inbox explodes on a Friday afternoon is no small challenge. We’ve all been there, and the bad guys know it. We don’t get to share too many of them, so sit back and enjoy a few war stories our team has been a part of. While no actual employees were harmed in the making of this story, they quickly learned that class was in session.
As with many other social engineering engagements, we created a phish based on a spoofed login portal. The assessment scope allowed our engineer to pivot off any harvested credentials. So, with that as the focus, he leapt at the first set that came in. Glee quickly faded as he found the organization enforced MFA through a push notification. Thinking the gig was up, our tester stepped away in search of commiseration coffee. Bingo! When he returned the user had approved the MFA push.
The best advice for outsmarting a professional phisherman is to confirm a communication’s legitimacy with the person or organization that allegedly sent it. But what about the phish within the phish? For this, our team created a complex phishing email claiming to be from our customer’s own IT department. Using company branding and styles found on publicly available customer sites, the branded email urged users to login to their email, using a link provided in the email of course, to re-authenticate after an upgrade. You guessed it, this link was for a phishing site that stole the entered credentials and then redirected, smoke and mirrors style, to an error page. Here’s where the darkness became all encompassing. Both the email and the error page provided a number to contact IT for help. Not only did employees enter credentials, but the phone started ringing. Grateful to have the call answered quickly by a friendly person, several of these people told our tester other sites where those credentials should work and provided info that helped our tester login. Trust and rapport were inferred because the employees made the call to the phisher instead of the other way around.
Real Phishing Obtains Real Results
Scottie Cole is one of the best in the business. In this video, he reveals some of his best tips and tricks for setting up phishing campaigns to harvest credentials and/or install payloads on clients’ networks.
