ThePhish: the “most comprehensive” non-commercial phishing email scanner

Emma Woollacott January 19, 2022 at 12:46 PM UTC

Updated: January 19, 2022 12:49 UTC

The developer claims that the tool is more accurate and queries a wider range of utilities than other free and open source rivals

Security researchers have a new open-source phishing email scanning tool that automates the entire scanning process.

Based on TheHive Incident Response Platform, Observable Analytics and Active Response Engine Cortex and Malware Information Sharing Platform (MISP), ThePhish extracts all observable elements from the header and body of a suspicious email and creates a folder on TheHive.

Observables, including IP addresses, email addresses, domains, URLs, and attachments, are then analyzed using Cortex’s hundred or so analyzers, and a verdict is produced based on analysis.

Learn about the latest hacking tools

If the verdict is final, the case is closed and the user automatically notified; if it is a malicious email, the case is exported to MISP for sharing.

If the verdict is inconclusive, the analyst can review the case on TheHive with the results given by various analyzers and make their own appeal.

Threat Intelligence Deficit

The tool was created by Emanuele Galdi, a researcher at Italian cybersecurity firm SecSI, for his master’s thesis, after a review of other open-source and free phishing scanner tools.

“I discovered that none of them offer the possibility to query as many tools as ThePhish, nor to aggregate these results. None of them use threat intelligence either,” he said. The daily sip.

“Some of them only extract part of the indicators of compromise from the email. Some others are not even precise enough when extracting or overlook some essential places where it is possible to find useful information. There are also tools that only offer a dashboard to view the email without analyzing it.

“reasonably accurate”

Galdi says the tool’s verdicts are “reasonably accurate” and that only a small fraction of reports tend to require analyst intervention.

“These are cases in which some [analyzers are] suspicious about one or more information contained in the email, but there is not enough evidence to mark the email as malicious,” he says.

Phishing is available on GitHub. Galdi says that a number of users have forked the repository and he’s had good feedback on it so far.

“I hope this tool can help to waste less and less time on tedious tasks and, perhaps, serve as an example for developing many other anti-phishing tools. Indeed, phishing is the most exploited infection vector for any attack, including ransomware attacks, which bring many organizations to their knees,” he says.

“In conclusion, I think ThePhish is the most complete non-commercial tool, especially thanks to the excellent platforms it uses, namely TheHive, Cortex and MISP.”

RELATED Firefox fixes full-screen notification bypass bug that could have led to convincing phishing campaigns

Comments are closed.