You can now get a better handle on your organization’s exposure to phishing attacks: Metasploit Pro now gives you quick insight on risks and advice on how to reduce them. With today's new release version 4.5, Metasploit Pro's social engineering features are no longer just for penetration testers but add a lot of value for more generalist security professionals. A handful of our customers already tested these new capabilities in a technical preview and were very excited about the experience, all rating it between 8 and 9 out of 10 points.


With Metasploit 4.5, you can control your organization’s phishing exposure in three easy steps:

  1. Go Phish: Simulate a phishing attack to get a fast overview of your risk exposure.
  2. Identify weaknesses: Spot where your organization is the most vulnerable.
  3. Control risks: Provide targeted security awareness training and tweak technical controls.


Phishing is often the initial attack vector of a data breach, for example in the recent South Carolina Department of Revenue data breach. You may already be conducting end-user trainings and implementing technical security controls to protect your data. However, do you know how widely your organization is exposed to phishing and which countermeasures actually reduce risk?


With Metasploit Pro, you can now measure the effectiveness of both security awareness trainings and technical security controls, and provides metrics and recommendations on each step in the chain of compromise. For example, a click-through on an email points to a lack in security awareness whereas an exploited browser indicates a technical problem. Reports contain both overview statistics and details about the risk level of each user and host.


Metasploit-social-engineering-manage-campaigns.pngYou can direct users who fell for the simulated phishing email to an online training, where they can learn to spot and correctly handle phishing emails in the future. Alternatively, administrators can consult the Metasploit social engineering report to follow up with individuals by email or in person.


Attackers often set up fake websites for phishing. With Metasploit Pro, you can easily clone a website – just enter the URL. Metasploit automatically changes forms to capture user input, and adds client-side exploits - if desired. You can also test end-user security awareness by creating malicious files on USB flash drives that can be left in the company parking lot or restrooms as bait. Metasploit’s social engineering functionality can also be used for penetration testing engagements to compromise one or more computers as a starting point for a more comprehensive security assessment. If you are a penetration tester familar with Metasploit's social engineering campaigns, you will be very happy about the usability improvements we've added in this release.


Unlike alternative penetration testing solutions, Metasploit Pro’s social engineering reports provides conversion rates at each step in the campaign funnel, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. Only Metasploit provides advice on how to address risk at each step in the social engineering funnel.


While some phishing simulation services can only measure user awareness, Metasploit Pro can also measure the effectiveness of technical controls. If desired, phishing web pages or email attachments can contain exploits that test patch levels, security configurations, and network-based defenses.


Here's what Shane Clancy, Principal at Crosslin Technology, said about the new release after they tested it as part of the tech preview:


“Within the world of information security, it is well understood that prevention is less expensive than recovery from a compromise.  What doesn’t appear to be as clearly understood is the return on an investment for something like Metasploit.  Instead of spending money and valuable time on an array of tools that will indicate that vulnerabilities might exist within an environment, it is possible to actually validate which weaknesses truly exist and begin the remediation process with a single software package.  As an example, phishing messages are often attack vectors used by attackers and are frequently the subject of annual information security training – yet they still continue to prove effective for the attackers.  Metasploit allows Crosslin Technologies to provide our customers with real-world examples of how attacks, including phishing, are executed against their environments and moves the remediation approach from an academic subject in an annual training presentation to tangible lessons learned.


“When information security is viewed as a means to manage an organization’s risk, as opposed to simply meeting minimum compliance standards, the value presented by Metasploit and its ability to enable measurable change in the security posture of an organization is unmistakable.”


Want to measure how vulnerable your organization is to phishing attacks? Download the fully featured Metasploit Pro trial and run a phishing campaign today - you'll get the results within a couple of hours of sending out the emails!


Today's Metasploit 4.5.0 release also includes 95 new exploits, 72 new auxiliary modules, and 13 new post modules over the 4.4.0 release, for a grand total of 180 new modules, all of which are available in all Metasploit editions and detailed in the release notes.