ThePhish: ‘the most complete’ non-commercial phishing email analysis tool

Developer says tool is more precise and queries a wider range of utilities than other free and open source rivals

Security researchers have a new open source phishing email analysis tool at their disposal that automates the entire analysis process.

Based on incident response platform TheHive, observable analysis and active response engine Cortex, and Malware Information Sharing Platform (MISP), ThePhish extracts all observables from the header and body of a suspect email and creates a case on TheHive.

The observables, including IP addresses, email addresses, domains, URLs, and file attachments, are then analyzed using the hundred-odd analyzers in Cortex, and a verdict is produced based on the analysis.

Read more on the latest hacking tools

If the verdict is final, the case is closed and the user automatically notified; if it's a malicious email, the case is exported to MISP to be shared.

If the verdict is inconclusive, the analyst can review the case on TheHive along with the results given by various analyzers and make their own call.

Threat intel deficit

The tool was created by Emanuele Galdi, a researcher at Italian cybersecurity firm SecSI, for his master’s degree thesis, after an examination of other open source and free phishing analysis tools.

“I discovered that none of them offers the possibility to query as many tools as ThePhish does, nor aggregate those results. None of them makes use of threat intelligence either,” he tells The Daily Swig.

“Some of them only extract part of the indicators of compromise from the email. Some others are even not precise enough during the extraction or overlook some essential locations where it is possible to find helpful information. There are also tools that only offer a dashboard to visualize the email without analyzing it.”

‘Reasonably accurate’

Galdi says the tool’s verdicts are “reasonably accurate”, and that only a small fraction of the reports tend to require the intervention of an analyst.

“These are cases in which some [analyzers are] suspicious about one or more pieces of information contained in the email, but there is not enough evidence to mark the email as a malicious one,” he says.

ThePhish is available on GitHub. Galdi says that a number of users have forked the repository, and that he’s had good feedback on it so far.

“I hope this tool can help waste less and less time on tedious tasks and, maybe, be used as an example to develop many other tools to fight phishing. Indeed, phishing is the most exploited infection vector for any attack, including ransomware attacks, which are bringing many organizations to their knees,” he says.

“In conclusion, I think that ThePhish is the most complete non-commercial tool out there, also thanks to the great platforms it makes use of, which are TheHive, Cortex, and MISP.”

RELATED Firefox fixes fullscreen notification bypass bug that could have led to convincing phishing campaigns