You spent two hours crafting a convincing IT helpdesk pretext. You ship the campaign. The click rate is 2%.
It's not because employees got more savvy. It's because half your emails landed in spam, your tracking pixel was broken so you never saw the opens, and your {{.FirstName}} was actually {{.first_name}} and rendered as a literal string in every recipient's inbox.
I built @hailbytes/phishing-template-linter after the third campaign in a row where this happened.
Lint a directory of templates
npx @hailbytes/phishing-template-linter ./templates/
You get a per-template report of:
- Broken or unknown merge tags
- Missing tracking pixel / link rewrite hooks
- Spam-trigger phrases (the obvious ones, but also Gmail's newer heuristics)
- Deliverability red flags (mismatched display names, suspicious from-domain handling, bare URLs in plaintext)
- Missing or malformed HTML/text alternatives
Use it programmatically
import { lint } from '@hailbytes/phishing-template-linter';
const result = lint(templateHtml);
// Errors fail the campaign launch; warnings get reviewed by a human
if (result.errors.length > 0) process.exit(1);
Wire it into CI
npx @hailbytes/phishing-template-linter ./templates/ --format=json > report.json
Drop that into your campaign-management pipeline and your phishing sims get the same pre-flight guardrails your production code already has.
It's GoPhish-format aware, so the merge-tag rules know about {{.FirstName}}, {{.URL}}, {{.TrackingURL}}, and the rest of the GoPhish template grammar.
npm install @hailbytes/phishing-template-linter
Source: github.com/hailbytes/phishing-template-linter — MIT licensed. Built as a companion to the HailBytes SAT platform but works standalone with any GoPhish-format templates.
Top comments (0)