GitHub RadarRed team tool
Phishing Template Workbench Primary language: HTML. 39 stars.
Project links:Open GitHub projectBack to radar
Developer-Focused Phishing Template Development Environment
Image: Web Application Preview
This tool enhances the development workflow for security professionals creating phishing simulation templates. It provides an preview environment where developers can:
{{.BaseURL}}, {{.Email}}, {{.FirstName}} automatically populated with sample valuesCompatible with Phishing Club and GoPhish.
While this tool is for editing and checking templates, sometimes you just want quick templates to import into Phishing Club. On the Releases page you can download a .zip with the templates which can be imported via the Settings page in Phishing Club.
Most templates require a little editing..
Remember to change the sender on emails.
This application is meant ONLY for local development use. Never expose it publicly.
It is build upon AI 🤖 slop, so keep it local
git clone https://github.com/phishingclub/templates.git
cd templates
make up
# or manually:
docker-compose up --buildhttp://localhost:8005git clone https://github.com/phishingclub/templates.git
cd templates
make upgit clone https://github.com/phishingclub/templates.git
cd templates
go build
./templatesOptions:
-port 8080 - Change server port (default: 8080)-templates ./my-templates - Specify templates directory--export - Export all templates to ZIP and exitEmails templates with a correct data.yml can be sent to a local mailpit container.
Mailpit is setup with an awesome HTML check feature that lets you know how supported the HTML/CSS is in different mail clients AND a Spam analysis via. its Spamassassin integration.
The Spamassassin rule config has been adjusted slightly to avoid spam scores that are not relevant when previewing.
Check it out by opening a email templates, click the Send Test Email and open mailpit by clicking the 📬 icon.
| Port | Service | Description | |------|---------|-------------| | 8005 | Templates | Template workbench web interface | | 8102 | Mailpit | Email testing web interface with SpamAssassin integration | | 1025 | SMTP | Internal SMTP server (not exposed publicly) |
All services run in Docker containers and are only accessible locally during development.
The project includes a comprehensive Makefile for common development tasks:
phishing-templates/
├── assets/ # Global generic assets (available to all templates)
│ ├── images/
│ │ └── common-icons.png
│ └── css/
│ └── shared-styles.css
├── private/ # Client-specific templates (DO NOT COMMIT)
│ └── client-company/
│ ├── data.yaml
│ └── branded-campaign/
│ ├── email.html
│ └── assets/
│ └── client-logo.png
└── generic-service/ # Generic templates safe to commit
├── data.yaml # Template metadata (required)
└── login-alert/
├── email.html # Email template
├── landing.html # Landing page (optional)
└── assets/ # Template-specific assets
└── generic-logo.pngEach template should contain a data.yaml, the file contains data that is used when importing the template into Phishing Club.
By default all templates should be named Template - Name so they can be easily copied and used. When an import happens it will overwrite any existing templates with the same name. This includes the assets.
emails:
- name: "Generic Service - Login Alert"
file: "email.html"
envelope from: "security@service.com"
from: "IT Security <security@service.com>"
subject: "Unusual Login Activity Detected"
pages:
- name: "Generic Service Login Page"
file: "landing.html"Template variables are automatically populated with test data during preview:
| Variable | Example Value | Description | |----------|---------------|-------------| | {{.rID}} | 1234567890 | Recipient record ID | | {{.FirstName}} | John | Recipient's first name | | {{.LastName}} | Doe | Recipient's last name | | {{.Email}} | john.doe@example.com | Recipient's email address | | {{.To}} | john.doe@example.com | Alias for Email | | {{.Phone}} | +1-555-123-4567 | Phone number | | {{.ExtraIdentifier}} | EMP001 | Additional identifier | | {{.Position}} | IT Manager | Job position | | {{.Department}} | Information Technology | Department | | {{.City}} | New York | City | | {{.Country}} | United States | Country | | {{.Misc}} | Additional Info | Miscellaneous data |
| Variable | Example Value | Description | |----------|---------------|-------------| | {{.URL}} | https://example.com/phishing-link | Phishing URL | | {{.BaseURL}} | /templates/company/campaign | Base URL for assets | | {{.Tracker}} | HTML tracking pixel | Email open tracking image | | {{.TrackingURL}} | https://track.example.com/clicked/id | Link click tracking URL |
| Variable | Example Value | Description | |----------|---------------|-------------| | {{.From}} | Security Team <security@company.com> | Sender address |
| Variable | Example Value | Description | |----------|---------------|-------------| | {{.APIKey}} | _(empty)_ | API key | | {{.CustomField1}} | _(empty)_ | Custom field 1 | | {{.CustomField2}} | _(empty)_ | Custom field 2 | | {{.CustomField3}} | _(empty)_ | Custom field 3 | | {{.CustomField4}} | _(empty)_ | Custom field 4 |
The template system supports the same functions as the Phishing Club platform:
| Function | Example | Description | |----------|---------|-------------| | {{urlEscape "hello world"}} | hello%20world | URL encode a string | | {{htmlEscape "<script>"}} | <script> | HTML escape a string | | {{base64 "hello"}} | aGVsbG8= | Base64 encode a string |
| Function | Example | Description | |----------|---------|-------------| | {{randInt 1 10}} | 7 | Random integer between 1 and 10 (inclusive) | | {{randAlpha 8}} | AbCdEfGh | Random alphabetic string of specified length |
| Function | Example | Description | |----------|---------|-------------| | {{date "Y-m-d"}} | 2025-01-15 | Current date in specified format | | {{date "Y-m-d H:i:s"}} | 2024-05-15 14:30:25 | Current date and time | | {{date "Y-m-d H:i:s" 3600}} | 2024-05-15 15:30:25 | Date with offset (3600 seconds = 1 hour) |
Date Format Codes:
Y - 4-digit year (2024)y - 2-digit year (24)m - 2-digit month (01-12)n - Month without leading zero (1-12)M - Short month name (Jan, Feb)F - Full month name (January, February)d - 2-digit day (01-31)j - Day without leading zero (1-31)H - 24-hour format hour (00-23)h - 12-hour format hour (01-12)i - Minutes (00-59)s - Seconds (00-59)A - Uppercase AM/PMa - Lowercase am/pm| Function | Example | Description | |----------|---------|-------------| | {{qr .URL }} | HTML table QR code | Generate QR code as HTML | | {{qr .URL 6}} | Larger QR code | QR code with custom dot size |
Example Usage:
<p>Hello {{.FirstName}}, today is {{date "F j, Y"}}!</p>
<p>Your confirmation code is: {{randAlpha 6}}</p>
<p>Lucky number: {{randInt 1 100}}</p>
<div>{{qr .URL 8}}</div>This repository comes with a collection of phishing example templates:
Any example requires modification before use.
Use the Export All and import them into Phishing Club.
Place shared assets in the assets/ directory:
assets/
├── images/
│ ├── generic-icons.png
│ └── security-symbols/
└── css/
└── email-base.cssUse in templates: {{.BaseURL}}/images/generic-icons.png
Place template-specific assets in the template's directory:
generic-service/campaign/
├── email.html
└── assets/
└── campaign-banner.pngUse in templates: {{.BaseURL}}/assets/campaign-banner.png
The system automatically falls back to global assets if local assets aren't found.
phishing-templates/private/ (never commit)5.5. If email, send to mailpit and check html/css/spam scores
Creating emails and templates with AI is super easy and it should be part of the developer experience using your favorite editor or IDE. Simply choose your favorite code editor with AI support and get started.
We might consider a pull request for a folder filled with good custom rules to feed the agents.
private/ folder for client-specific templates and assetsphishing-templates/ as generic examplesExample Structure:
phishing-templates/
├── generic-bank/ ✅ Safe to commit
│ └── login-alert/
├── example-cloud/ ✅ Safe to commit
│ └── security-notice/
└── private/ ❌ DO NOT COMMIT
├── actual-client/
└── real-company/Emails are not websites. Understanding email client limitations is crucial.
Recommended Resources: