In the course of a pentesting audit, you often have to simulate phishing attacks. This article provides a step-by-step guide to deploying infrastructure for such simulation. You will learn how to create a mail server from scratch, install and configure the Evilginx reverse proxy, and then integrate it with the Gophish phishing framework. At the end, a practical example of phishing attack is presented: you will intercept login, password, and session cookies and consequently bypass two-factor authentication.