Skip to main content


Lures are essentially pre-generated phishing links, which you will be sending out on your engagements. Evilginx provides multiple options to customize your lures.


A lure has to be assigned to a specific phishlet. For example to create a lure for linkedin phishlet, you can do:

: lures create linkedin

The lure you create will automatically get an ID assigned. Let's assume the ID of your new lure is 0. You can always check the list of your lures with:

: lures


By default, lure URL will come with a randomly generated path, hostname being the one you set up for the phishlet and subdomain which is defined in the phishlet with is_landing: true.

Your default lure URL should look like this:

: lures get-url 0

You can already take this URL and send it out, but you will miss out on a lot of customizations you can introduce to make the lures look better.


You can pause a lure for a fixed time duration if you want the lure URL to redirect the visitor to unauth_url, you set up globally or for specific phishlet, until the timer expires.

The time duration must be enetered in 1d2h3m4s format.

If you want to pause a lure for 1 day and 12 hours:

: lures pause 0 1d12h

If you want to pause a lure for 5 minutes:

: lures pause 0 5m

If you want to pause a lure for 1 minute and 30 seconds:

: lures pause 0 1m30s


Every paused lure can be unpaused at any time:

: lures unpause 0


If you're not satisfied with the hostname, which was automatically generated, you can pick any hostname for your lure, under condition that it ends with the top-level domain you set up for your Evilginx installation.

To change hostname for your lure:

: lures edit 0 hostname

Setting up a custom hostname for a lure will also trigger an automatic retrieval of TLS certificates.


You can also entirely change the path of your phishing landing page for selected lure.

: lures edit 0 path /downloads/RESUME.pdf


Redirectors are little websites, which act as a landing page for your phishing links. Selected redirector will be shown to the visitor when the lure URL is opened. Their sole purpose is to redirect the user to the phishing login page, either automatically or requiring user interaction. You can customize your redirectors with custom variables embedded in their HTML files. like {variable_name}. Values for these variables can be automatically filled in through the generation of lure URLs, using lures get-url.

To set a specific redirector for your lure do:

: lures edit 0 redirector download_example

Learn how to generate URLs with custom values for redirector variables here

User-Agent filter

This option specifies a regular expression, which has to match the User-Agent HTTP header of the incoming requests to be accepted. Unauthorized requests will be redirected the same way as requests to invalid lure URLs.

You can use this to filter out desktop or mobile clients, if you only want to cover a specific target group.

: lures edit 0 ua_filter Mobile|Android|BlackBerry

Redirect URL

When the phished user successfully enters their credentials and Evilginx manages to capture them, together with the session cookies, they will be redirected to the URL defined under this option.

If this option is empty, Evilginx will try it's best to continue performing reverse-proxying for logged in users.

: lures edit 0 redirect_url


OpenGraph is the current standard for meta tags to generate previews of website content when sharing links on messengers or social media. Evilginx fully supports customization of the previews for your phishing links. It will inject the set up meta tags into both your redirectors and reverse proxied sign-in pages.

: lures edit 0 og_title "Download RESUME.pdf"
: lures edit 0 og_desc "Download your file securely - click to preview"
: lures edit 0 og_image
: lures edit 0 og_url

Here is a quick overview of all the options:

og_titleTitle (up to 60 characters)Evilginx 2.4 - Gone Phishing
og_descDescription (up to 160 characters)"Gone Phishing" 2.4 update to your favorite phishing framework is here. May the phishing season begin!
og_imagePreview image URL (recommended 1200 x 630)
og_urlURL visible on the preview

Information (Notes)

You can also set up some private notes for your lure:

lures edit 0 info "This is a test lure - do not use on engagements"

Generate URL

When you're done customizing your lure, you can start generating your phishing links, which you'll be sending out in your engagement.


If your lure is not using custom variables through a redirector or js_inject section in your phishlet, you can generate a link simply like this:

: lures get-url 0

If your phishing campaign supports personalized redirectors, together with ability to pre-fill some sign-in form data, allowed by the phishlet you're using, you can specify custom variables while generating phishing links.

Let's say your redirector and/or js_inject script makes use of your target email and name:

lures get-url 0 name="John Doe"

You can escape " characters with \".

The values for defined custom variables will be encrypted into a single GET parameter for the link. The parameter name is always randomly generated and the encrypted value is always unique, even when using the same values multiple times. This ensures that GET parameters cannot be fingerprinted later on as they never provide a static signature.


Understandably, your engagements will require generation of dozens if not hundreds of personalized phishing links for your engagement. Evilginx thankfully provides a way to generate the links in bulk, all at once.

You can provide an input file with your custom variables in csv or json format.

This is an example csv input file. The first row specifies the variable names as column names and the rows below contain just the values:

email,name,John Doe,Elle,Steven

The same input file in json format would like the following:

"name":"John Doe"

To import the custom variables form an input file and output the generated links in the terminal, do it like this:

: lures get-url 0 import input.csv


: lures get-url 0 import input.json

It may be more convenient to export the generated links to a file, which is also possible:

: lures get-url 0 import input.csv export targets.txt

Exported output will also include original values as comments, so that you know which link contains what parameters: ; email="" name="John Doe" ; email="" name="Elle" ; email="" name="Steven"


: help lures


Shows all create lures and allows to edit or delete them.

show all create lures
lures <id>
show details of a lure with a given <id>
lures create <phishlet>
creates new lure for given <phishlet>
lures delete <id>
deletes lure with given <id>
lures delete all
deletes all created lures
lures get-url <id> <key1=value1> <key2=value2>
generates a phishing url for a lure with a given <id>, with optional parameters
lures get-url <id> import <params_file> export <urls_file> <text|csv|json>
generates phishing urls, importing parameters from <import_path> file and exporting them to <export_path>
lures edit <id> hostname <hostname>
sets custom phishing <hostname> for a lure with a given <id>
lures edit <id> path <path>
sets custom url <path> for a lure with a given <id>
lures edit <id> redirector <path>
sets an html redirector directory <path> for a lure with a given <id>
lures edit <id> ua_filter <regexp>
sets a regular expression user-agent whitelist filter <regexp> for a lure with a given <id>
lures edit <id> redirect_url <redirect_url>
sets redirect url that user will be navigated to on successful authorization, for a lure with a given <id>
lures edit <id> phishlet <phishlet>
change the phishlet, the lure with a given <id> applies to
lures edit <id> info <info>
set personal information to describe a lure with a given <id> (display only)
lures edit <id> og_title <title>
sets opengraph title that will be shown in link preview, for a lure with a given <id>
lures edit <id> og_des <title>
sets opengraph description that will be shown in link preview, for a lure with a given <id>
lures edit <id> og_image <title>
sets opengraph image url that will be shown in link preview, for a lure with a given <id>
lures edit <id> og_url <title>
sets opengraph url that will be shown in link preview, for a lure with a given <id>