Phishing, and specifically phishing emails, are becoming the most pervasive cyberattack and the most widely used infection vector. As a consequence, SOCs, CERTs, and CSIRTs are overwhelmed by the number of emails that they need to analyze every day, with the majority of them being false positives. The manual email analysis is a huge waste of effort. Thus, finding approaches to the full or at least partially automated analysis is crucial. This work aims to present ThePhish, an open-source phishing email analysis platform capable of automating the entire email analysis process, starting from the extraction of the observables from the header and the body of the email to the elaboration of a verdict, which is final in most cases. The framework leverages the effectiveness of important open-source projects, namely, MISP, TheHive and Cortex, to filter out a significant number of false positives. If ThePhish is sure about the maliciousness of the email, it scores it as “malicious”. However, an email sometimes can only be considered suspicious and need further analysis. In these cases, ThePhish offers several features that allow analysts to speed up the analysis process and obtain further details on the suspicious emails.
ThePhish: an Automated Open-Source Phishing Email Analysis Platform / Galdi, E.; Perrone, G.; Romano, S. P.. - 3260:(2022), pp. 76-101. (Intervento presentato al convegno 6th Italian Conference on Cybersecurity, ITASEC 2022 tenutosi a ita nel 2022).
ThePhish: an Automated Open-Source Phishing Email Analysis Platform
Perrone G.;Romano S. P.
2022
Abstract
Phishing, and specifically phishing emails, are becoming the most pervasive cyberattack and the most widely used infection vector. As a consequence, SOCs, CERTs, and CSIRTs are overwhelmed by the number of emails that they need to analyze every day, with the majority of them being false positives. The manual email analysis is a huge waste of effort. Thus, finding approaches to the full or at least partially automated analysis is crucial. This work aims to present ThePhish, an open-source phishing email analysis platform capable of automating the entire email analysis process, starting from the extraction of the observables from the header and the body of the email to the elaboration of a verdict, which is final in most cases. The framework leverages the effectiveness of important open-source projects, namely, MISP, TheHive and Cortex, to filter out a significant number of false positives. If ThePhish is sure about the maliciousness of the email, it scores it as “malicious”. However, an email sometimes can only be considered suspicious and need further analysis. In these cases, ThePhish offers several features that allow analysts to speed up the analysis process and obtain further details on the suspicious emails.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
