Phishlets 2.0 | Evilginx

📄️Overview

Phishlets are the configuration files that drive the Evilginx reverse proxy. Each phishlet targets one or more websites and describes — in a single declarative file — every transformation the proxy must perform to deliver a transparent phishing simulation: which hosts to proxy, which URLs to rewrite, what data to capture, what to inject, and what to block.

📄️String Matcher

String values in phishlets serve two purposes: as literal values or as search patterns. This reference documents the pattern matching syntax used in the Phishlets V2 format.

📄️JSON Path

JSON Path is the small expression language used by Phishlets 2.0 to point at one or more keys inside a JSON document. Wherever a field is documented as [json_path], the value is parsed with the rules described on this page.

📄️Trigger

A Trigger is the filter that decides whether a rule applies to a given HTTP request or response. Triggers appear inside every rule object across the Rewrite, Capture, Intercept, Inject, and Options sections.

📄️Locator

A Locator describes where inside a request or response to look for a value — the URL path, a query parameter, a header, a cookie, or a field inside the body. Locators appear in every rule that needs to find data: under rewrite.requests[], rewrite.responses[], capture.tokens.requests[], and capture.tokens.responses[].

📄️Params

The params section declares the custom parameters a phishlet can use. Once declared, a parameter is referenced anywhere in config.hjson as $ and is replaced at runtime with its current value. Parameters make a phishlet portable across deployments — domain names, tenant identifiers, target IDs, and other per-engagement values can be set without editing the phishlet itself.

📄️Proxy

The proxy section lists the real hostnames the reverse proxy serves on behalf of the target. Each entry maps an original hostname (e.g. login.microsoftonline.com) to a phishing subdomain under the phishlet's main phishing domain.

📄️Options

The options section tunes the proxy's automatic URL handling. Currently it exposes a single subsection — rewrite — that controls how aggressively the proxy detects and rewrites URLs that appear in proxied content.

📄️Rewrite

The rewrite section is where most of a phishlet's behavior lives. It defines how the proxy modifies HTTP traffic as it flows through, so that the visitor sees a coherent login experience while Evilginx silently captures session data.

📄️Capture

The capture section defines what counts as a successful phishing session. Each rule either captures a cookie (from a Set-Cookie response header) or a token (any string value extracted from a request or response). Once every rule marked required: true has produced a value, the session is considered complete and the visitor is redirected to the phishlet's redirecturl (or the lure's redirecturl, if set).

📄️Intercept

The intercept section short-circuits HTTP requests before they reach the upstream server. The proxy returns a response you supply, instead of forwarding the request. Use it to:

📄️Inject

The inject section adds resources to proxied HTML pages. Right now the only supported resource type is JavaScript, injected as a `` tag at a chosen location in the document.

📄️Evilpuppet

The evilpuppet section attaches an Evilpuppet plugin to the phishlet. Evilpuppet is Evilginx's browser-automation module — it drives a real browser session in the background to handle interactions that a pure HTTP proxy cannot, such as solving anti-bot challenges or completing authentication flows that depend on client-side state.

📄️Example: Microsoft 365

This page walks through a complete real-world phishlet for Microsoft 365 sign-in, section by section. Read it alongside the Phishlets 2.0 overview — every construct used here is documented in detail elsewhere in this section.