Phishing, and particularly spear phishing, is a major security concern, however it is often not taught in any detail on security courses. We have developed a framework in which students can try to perform phishing attacks against a simulated company. On this VM the students find a website for a fictional company (with employee details), an e-mail client and common tools used for phishing. A script in the VM processes every e-mail sent by the student and uses rules to decide if they have produced a realistic spear phishing e-mail. If the e-mail passes this test then any attached executable, or any macros in office documents will be run. Hence, the students need to both craft a successful phishing e-mail and a payload. The VM is free to use, please e-mail me with any questions you might have.