So you decide to spin up a little Amazon VPS and try out a phishing framework on your colleagues. Almost cute in comparison to the infrastructure of a real life national phishing campaign. In the wild, the term 'infrastructure' is used loosely. Malicious phishers compromise a myriad of organisations and use the compromised servers and email accounts to send phishing emails. They mix in bot-nets that are capable of sending emails on their behalf too. It's not just the complicated nature of malicious phishing campaigns that see success, it's the concept of a distributed, ever-changing attack platform - one that is hard to defend against. They are often faced with errors, browser warnings, complaints and have to be agile in order to be effective.

When considering the infrastructure of a campaign at scale, we can learn a lot from nefarious actors. Infrastructure has to be extensive and it has to migrate and redeploy in an instant, sometimes mid-campaign should you encounter a problem. New IP's, new servers, new techniques, new domains, new emails templates are needed on the fly to keep things going.

We can use our expertise to do just this. In fact, we have got things so smooth we found that with AntiPhish we can close down a server, scrub data and migrate mid campaign in about one minute. It is important to think of a phishing campaign as a traditional web service, scaling should incorporate some more traditional elements such as load balancing and redundancy. This can be the difference of your infrastructure assisting you or hindering your campaign.

Here is where it gets interesting when working at scale, often you are presented with the challenge of manually keeping this operation running smoothly. But data security has to keep up with this new desire for scale! The importance of securing dynamic infrastructure remains a priority. The contact details of your staff are normally provided, but are they flying through cloud services in different countries? Data security should be paramount. Conducting phishing assessments is about securing the organisation, not opening it up to unforeseen risks from your contractor or unknown third parties. Often you have no option to bring services in-house to control data protection to a standard you are happy with. Is your phishing simulation using a third party SMTP service? well, you've got to bring that into your control. Do you want analytics for your campaign? well, you've got to bring that technology in-house too. You can only really control the servers under your own roof and it's this approach we have seen to give us the edge in dealing with the legal or data protection concerns in a large organisation. We have got data security to the point we can work with 'OFFICIAL-SENSITIVE' data in our phishing environments.

So we have managed to overcome some of the hurdles associated with phishing at scale, but we have to now consider content. A large campaign could see 100,000 emails going out per week, over several months. Have you considered a small department all receiving the exact same email at the same time? The overall objective of the organisation should steer phishing email designs and creativity. The email's pretext should be aligned with the educational elements in the campaigns too. Here we need to create a large subset of templates and unique, creative content. It's unlikely everyone in your organisation is going to be onboard as well, so content has to pay consideration to the opinions of a larger audience - including sign off from the board.

You have set up a phishing server on some top end infrastructure, obsessed about how you will keep it all safe and secure and made sure your content is top notch... but now it's time to start thinking about email delivery.

Here is where you will find the interesting challenge of strategically delivering several thousand phishing emails. The shortsighted will start to fight against the phishing preventions organisations have used to defend themselves for years, rate limiting, spam folders, email gateways and network proxies will be a challenge. Whitelisting only gets you so far! The challenges you will face can get very technical.

You can add the exceptions to your organisations email policies, but good luck explaining to Spamhaus about the 3000 emails inbound to a government department that are getting blocked. They aren't sympathetic and you will find with scale comes greater problems in this area. We have had to personally befriend and ensure we are on speaking to terms with the biggest names in email filtering to ensure needless blocks and hassles are resolved quickly. This is supplementary to working with a client ensuring their systems are doing what they are supposed too. Sometimes the campaign is fully educational and focussed on awareness so whitelisting can assist the process. Other times we test in a 'blackbox' fashion and without prior whitelisting or data and you really can find many an evening explaining why your version of malware.exe is actually begign and intended to help the company.

When Phishing a small number of people, life is easy. You sent 10 phishing emails and 2 people clicked. Inexperience will trick you into thinking you have a 20% click rate. However larger campaigns require a richer set of metrics. Take the prior scenario as an example, you may have sent 10 emails but only 3 were received, 2 people clicked - the click rate is currently closer to 66%. Now 7 users need emails to be dispatched again. Everything needs to be tracked using a database of interactions. Later we can add additional sources of information to the statistics - proxy logs have been particularly useful in this area to confirm clicks on the office network.

All too often when scaling a campaign people can be tricked into believing the stats without further analysis, this can be quite dangerous and lead you to into a false sense of security or cause an un-needed panic. In a smaller phishing campaign, the results might never leave the same room. At scale consideration for the fact, your data is likely to be interpreted by a host of scientists, psychologists and network administrators. Your Excel spreadsheet will simply not cut it at this point.