Contact
How-To Articles

ThePhish : Open Source Automated Analysis & Detection Platform Demo Video

Daniel Bender

2 min read
ThePhish - An Open Source Automated Detection and Analysis Platform
ThePhish - An Open Source Automated Detection and Analysis Platform

Click Image to Start Video - ThePhish Automated Phishing Detection
Click Image to Start Video - ThePhish Automated Phishing Detection

CORRECTION: After I did the Video, no retries, caught a slight error. TheHive and Cortex MISP entries in some files were not "LOCALHOST" they were the hostname of the docker container only reached within the Docker Network. "THEHIVE" and "CORTEX" & MISP respectively. You get the point though. :)

💡
Setup Tip - If you use a GMAIL account, as ThePhish works best with it the designer claims.. Create a simple mail rule using the following. In the from field type "-yourdomain.com" and then set it to delete. This simple rule essentially tells Gmail to only allow email through to the Inbox with your domain, and delete everything else. ThePhish only lists emails with .eml attachments anyways, but to protect the account from spam and clutter this is a very nice little easy way to do it for a free email account.

I had a little fun creating a short demo video of "ThePhish", an Open Source brilliant project that utilizes TheHive, Cortex, and MISP along with some brilliant Python code to make it magical! All packages are in a nice and convienient docker container stack.

Now, I did have to do some coding changes/hacks, as it natively really only works out of the box on the same box/pc as "LOCALHOST". You cannot get it to reach the separate docker containers for TheHive, Cortex and MISP properly, and have to modify a number of files. I even had to modify the index.html, which is the official start page of the ThePhish. I go over some of this quick in the demo.

We use this as a second source of truth, and fully automated way to help other techs and even more experienced users have a quick, simple and automated way to analyze either a quarantined phishing email. Where lets say the user swears its legit, and you just want to quickly extract, and then scan a ton of embedded Observables in the .EML file, against many a 3rd party platforms via the cortex connectors.

Not everybody wants to dig in to the details. This is a great simple way. The user saves a .EML file from their Email Security Platform, or directly from outlook or other email client. Attach it to an email, send it to your dedicated GMAIL address in this case. ThePhish is configured to use GMAIL's app password feature, and checks the newest email submissions and strips the .EML attachment and starts analyzing it.

When the analysis starts, it emails a notification it has started. Then you can watch it live in the main page feed, or head over to TheHive to see really detailed results as it comes in.

When its done, it emails a final verdict and emails a response back. "Safe", "Suspicious" or "Malicious / True Positive".

Enjoy the video, and let me know what you think!