A new open source phishing email analysis tool has been published on Githhub, which helps automate the analysis process.
ThePhish, was created by Emanuele Galdi, a researcher at Italian cybersecurity firm SecSI, for his master’s degree thesis, after an examination of other open source and free phishing analysis tools.
The Technology Behind ThePhish
ThePhish is a web application written in Python 3. The web server is implemented using Flask, while the front-end part of the application, which is the dynamic page written in HTML, CSS and JavaScript, is implemented using Bootstrap.
ThePhish is based on incident response platform TheHive, observable analysis and active response engine Cortex, and Malware Information Sharing Platform (MISP), ThePhish extracts all observables from the header and body of a suspect email and creates a case on TheHive.
How ThePhish Works
- An attacker starts a phishing campaign and sends a phishing email to a user.
- A user who receives such an email can send that email as an attachment to the mailbox used by ThePhish.
- The analyst interacts with ThePhish and selects the email to analyze.
- ThePhish extracts all the observables from the email and creates a case on TheHive. The observables are analyzed thanks to Cortex and its analyzers.
- ThePhish calculates a verdict based on the verdicts of the analyzers.
- If the verdict is final, the case is closed and the user is notified. In addition, if it is a malicious email, the case is exported to MISP.
- If the verdict is not final, the analyst’s intervention is required. He must review the case on TheHive along with the results given by the various analyzers to formulate a verdict, then he can send the notification to the user, optionally export the case to MISP and close the case.
Installation
If you want to try ThePhish you can use a provided Docker Template, which is a modified version of one of the Docker Templates provided by TheHive Project that also allows creating a ThePhish container.
To install ThePhish using Docker and Docker Compose, please refer to this guide.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
