Phishing Campaigns
Targeted phishing simulation, measure employee susceptibility, validate detection and response, and drive targeted training improvement.
Phishing remains the single most common initial-access vector in real-world breaches. A phishing campaign measures how an organisation actually performs against it, not just the percentage of users that click, but what happens next when credentials, MFA codes, or session tokens are captured.
Engagements range from awareness-style campaigns (broad, lower-sophistication, training-focused) to targeted red-team-aligned campaigns (MFA bypass, session-token capture, BEC-style impersonation, payload delivery for follow-on activity). Sophistication, scope, and visibility to the blue team are all defined upfront.
Most clients pair an annual targeted campaign with regular awareness campaigns delivered by their own teams, measuring susceptibility over time while keeping the technical-side test honest.
What's at stake.
Most breaches start with phishing
Year over year, phishing remains the single most common initial-access vector, including for MFA-protected environments where attackers now routinely capture session tokens rather than passwords.
Awareness training without testing is hope
Training programmes feel productive. Without periodic measurement, there is no evidence they are changing behaviour.
What we test.
Campaign types
- General phishing
- Spear phishing
- Whaling
- MFA bypass / session token theft
- BEC-style impersonation
- Vishing and smishing (where in scope)
Programme phases
- Pre-engagement planning
- Campaign design and development
- Execution and monitoring
- Analysis and reporting
- Post-engagement debriefing and training
The flaws engagements like this consistently surface.
Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.
MFA bypass success
Session-token capture via reverse-proxy phishing kits succeeding against TOTP and push-based MFA flows.
Process breakdowns post-click
Reported phishes routed to a generic mailbox no one monitors; no automatic credential reset on reported exposure; help-desk re-issuing MFA tokens without verification.
High-privilege susceptibility
Senior or privileged users with higher click rates than the general population, a particularly dangerous distribution.
A structured, intelligence-led path through every engagement.
Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.
Scoping
Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.
Execution
Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.
Validation
Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.
Reporting
Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.
Debrief & Retest
Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.
Common buyer questions.
Do you test MFA bypass? +
Yes, increasingly the default. Modern adversaries bypass MFA routinely via reverse-proxy phishing kits. Testing against pre-2020 phishing models without MFA bypass is no longer realistic.
How is the campaign approved internally? +
Pre-engagement planning includes legal, HR, and communications stakeholders. Rules of Engagement define explicit lists of who is in/out of scope, what content is acceptable, and how disclosure happens after the campaign.
Test Your Defences Against Adversarial Expertise
Talk to a CREST-accredited consultant about your next penetration testing engagement.