Skip to content

dead-plant/ThePhish2

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
.github
.github
 
 
app
app
 
 
pictures
pictures
 
 
.gitignore
.gitignore
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ThePhish2

ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases. In addition, it allows the analyst to intervene in the analysis process and obtain further details on the email being analyzed if necessary. In order to interact with TheHive and Cortex, it uses TheHive4py and Cortex4py, which are the Python API clients that allow using the REST APIs made available by TheHive and Cortex respectively.

OS made-with-python Docker Maintenance GitHub Documentation

Table of contents

Overview

ThePhish2 is a fork of ThePhish by @emalderson. Take a look at the upstream documentation to find more detailed information on how ThePhish works, what it is, and how to use it.

Some useful resources from the original documentation:

The upstream repository also provides installation and configuration guides, which I partially reference in my Setup guide.

How to use

Quick note: this is only a short overview. For a detailed walkthrough, see the upstream usage example.

  1. Forward the suspicious message as a .eml attachment (not inline) to the mailbox monitored by ThePhish2.

2. In your browser, open ThePhish2 and click `List emails` to fetch messages from the mail server via IMAP.

3. Select an email and click `Analyze` to create a TheHive case and run Cortex analyzers.

4. Review the verdict in the UI. If configured correctly, export malicious cases to MISP.

What changed

Code

  • Partially refactored/reorganized for better maintainability
  • Make it work on Python 3.12
  • Updated dependencies to current versions
    • Fixed bugs
    • Addressed multiple security vulnerabilities

Features

  • TheHive 5 support (Upgraded to thehive4py v2)
    • Breaking: thehive4py v2 does not support TheHive 4 or earlier. If you still need TheHive 4 compatibility use the upstream project.
  • IMAP
    • STARTTLS support
    • Automatic switching between TLS and STARTTLS
    • Certificate verification
    • Option to disable certificate verification (not recommended)
  • Other
    • Added the option to disable certificate verification for TheHive API and Cortex API
    • Update versions of code supported analyzers (and remove deprecated ones)

Bug fixes

  • Very slow analysis under certain conditions (exact conditions unknown)

Setup Guide

Installation

Coming soon...

Configuration

Coming soon...

About

Updated version of ThePhish with new features and TheHive5 support

Resources

Readme

License

AGPL-3.0 license

Code of conduct

Code of conduct

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 77.3%
  • JavaScript 14.3%
  • HTML 8.4%