Phishing · social engineering · P_02_PHISHING

Measuring human resilience, without bluffing.

Social-engineering attacks target humans, not machines. We design and deploy realistic phishing campaigns — including AiTM, capable of bypassing two-factor authentication.

Adversary-in-The-Middle

MFA isn't enough anymore. We prove it.

An AiTM (Adversary-in-The-Middle) attack places a proxy between the victim and the legitimate service. The session cookie is captured after full authentication, completely bypassing two-factor authentication.

Victim

User

① Clicks phishing link

④ Cookie captured

① Clicks phishing link

④ Cookie captured

Narok · Carthage

AiTM proxy

③ Receives cookie

② Relays request

③ Receives cookie

② Relays request

Target

Microsoft 365

In-house platform

Carthage

CARTHAGE.NAROK.FR ·

Carthage is the offensive phishing platform developed in-house by Narok. It allows designing, deploying and measuring custom social-engineering campaigns, including large-scale AiTM attacks.

Dedicated domains & SSL

Precise interaction tracking

Automated pre-fetch detection

AiTM · session-cookie capture

Typical scenarios

Campaign examples

Fake invoices

Booby-trapped attachments, accounting scenarios.

Shipping notifications

Spoofed carrier relay, redirection.

Credentials update

MFA renewal, password expiration.

Internal communications

HR, IT or executive impersonation.

Phishing by the numbers

68%

Human factor

Of global breaches involve the human element. Verizon DBIR 2024.

>1M

Phishing pages

Phishing pages identified worldwide in 2024. NC State University.

−40%

Reduced susceptibility

Average reduction in phishing susceptibility after post-campaign awareness training. University of Adelaide.

Si vis pacem, para bellum.

Ensure peace.
Prepare for war.

A partner replies within 48 hours for an initial technical exchange.

Request an audit