GoPhish#
InfraGuard uses built-in GoPhish path patterns — no profile file required. Standard GoPhish tracking and reporting paths are recognized automatically.
Config#
domains:
phish.example.com:
upstream: "${GOPHISH_UPSTREAM}" # e.g. https://127.0.0.1:3333
profile_type: "gophish"
campaign_token:
enabled: true
token_param: "t"
tokens:
- "${CAMPAIGN_TOKEN_Q1}"
- "${CAMPAIGN_TOKEN_Q2}"
score_on_missing: 0.8
drop_action:
type: "redirect"
target: "https://example.com"See config/examples/phishing-gophish.yaml for the full example.
Built-in Path Patterns#
InfraGuard recognizes these GoPhish path prefixes without a profile file:
/track/*— email open tracking pixel/report— report phishing button handler/static/*— static assets/— campaign landing page
Campaign Tokens#
Embed a token in every email link using GoPhish’s URL template:
https://phish.example.com/?t={{.Token}}&rid={{.RId}}Set {{.Token}} to the value of CAMPAIGN_TOKEN_Q1 in your GoPhish sending profile. Visitors without ?t= score 0.8 — near-certain block with block_score_threshold: 0.7.
For multiple campaigns running simultaneously, add multiple tokens to the tokens list.
HMAC Tokens (Rotating)#
Instead of a static token list, use HMAC so tokens can be rotated without config changes:
campaign_token:
enabled: true
hmac_secret: "${CAMPAIGN_HMAC_SECRET}"
hmac_ttl_seconds: 604800 # 7 days
score_on_missing: 0.8Generate tokens for email links:
infraguard token generate --secret $CAMPAIGN_HMAC_SECRET --ttl 604800Recommended Pipeline Settings#
pipeline:
filter_mode: "scoring"
block_score_threshold: 0.7
enable_replay_filter: false # targets click link once — replay filter breaks this
enable_sandbox_filter: true # critical: blocks Safe Links
enable_enumeration_filter: true
enumeration_unique_path_threshold: 15enable_replay_filter: false is important — GoPhish redirects through multiple paths per target click, and replay detection would block the second request in that chain.