Inspiration
Currently, there are no existing automated social engineering tools out there using model context protocol. Our team initially had our eyes on automated vulnerability testing such as fuzzing, networking scanning, etc, however 98% of hacks are due to social engineering! So our focus went to the reason why the vast majority of hacks occur.
What it does
PhishProof takes in the name of your company, what industry you're in, and what sort of phishing methods you are trying to emulate. From there, it finds employees that will be vulnerable to the type of attack employed. For example—hackers that want your financial data are more likely to social engineer financial analysts of your company rather than human resources reps. Using Perplexity MCP Server, we scrape the most important details of the employee, including their role, who they report to, and contact information such as email and phone number. We generate a phishing email tailored to that employee and wait to see if they follow through on the attempt. All this information is logged for the penetration tester to view and see which employees are most vulnerable to a phishing attempt, such that a company can better train its employees on how to avoid social engineering.
How we built it
We used a FastAPI MCP client which interacts with the Perplexity MCP server paired with Node.js. The input is taken from the front end (domain, name of the company, use cases, etc) and then passed into the Perplexity MCP where it gathers employee data. From there, emails are automatically generated custom tailored to the use case of that employee. Employee clicks are tracked and displayed.
Challenges we ran into
Getting the client to work was the most difficult part. We were able to get Linkedin MCP server to run, however did not have time to integrate it. We also tried Apollo MCP server, as well as other MCP servers to get more data on employees.
Accomplishments that we're proud of
We're particularly proud of being the first to create an automated social engineering tool using MCP, bringing a novel approach to vulnerability assessment. Our technical achievements include the successful implementation of a robust MCP client-server architecture with comprehensive error handling and recovery mechanisms. The system's ability to integrate multiple data sources for comprehensive analysis while maintaining an intuitive chatbot interface has been a significant accomplishment. We've created a platform that not only identifies vulnerabilities but also provides clear, actionable insights with comprehensive logging and reporting capabilities.
What we learned
The development of PhishProof provided valuable insights across multiple domains. We gained a deep understanding of MCP architecture and implementation, along with best practices for browser automation and web scraping. The project enhanced our knowledge of common social engineering attack vectors and employee vulnerability patterns, particularly in understanding industry-specific security concerns. From a project management perspective, we learned the importance of modular architecture, the value of comprehensive error handling, and the critical need for clear documentation in complex systems.
What's next for Phishproof
We want to add multiple MCP servers to get more context about employees to better represent what a targeted phishing attack could look like. The user experience will be improved through customizable phishing scenarios and interactive training modules, while the platform's integration capabilities will be expanded through API endpoints and support for additional data sources. These developments will help PhishProof evolve into a comprehensive social engineering testing platform that helps organizations better understand and mitigate their human security vulnerabilities.
Log in or sign up for Devpost to join the conversation.