Table of Contents
Hello learners, in this guide we will be analyze phishing email using Thephish. Thephish is an open source and the most complete phishing email analysis tool. It is used by researchers to open and carry on evidence collection on suspected phishing emails and the attachments on the email. Thephish is able to analyze a phishing email and giving a final verdict. It also allows a analyst to to intervene in the analysis of a phishing email if necessary.
ThePhish uses MISP, Cortex and TheHive to analyze phishing email.
- Have Kali OS
- Have python3.8 installed.
- Have Docker installed.
- Be connected to the internet as you run the analysis.
Some important terminologies
MISP stands for Malware Information Sharing Platform. It is a threat intelligence sharing platforms. It helps analyst access different indicators of compromise (IoC) shared by people from around the world. MISP is open source hence free for use by anyone. The indicators of compromise used in analyze phishing email, are from commercial and open source platforms.
This is an analysis engine from which the analyst analyzes the observables. Cortex uses a Web user interfaces to perform the analysis. The advantage of using Cortex is that it has many analyzers all in one place from where they can be used to analyze phishing email.
It is a free incident response platform which was designed to ease the work of security practitioners. Moreover, it deals with the security incidents that requires investigation and be acted upon quickly.
Installing Thephish with Docker and Docker Compose
We first clone Thephish tool from their official github repository. We clone the repository using the below command to our desired folder on the PC.
git clone https://github.com/emalderson/ThePhish.git
After download is complete, we change to ThePhish directory from where we will run the multi-container application.
$ cd ThePhish/docker $ docker-compose up
$ docker-compose stop $ sudo chown -R 1000:1000 vol/index vol/data vol/elastic*
After applying the changes we restart the application.
$ docker-compose up
After you restart the application make sure you configure according to the configurations guide provided to run ThePhish on docker. After you are done with configuring the servers and containers needed to run ThePhish effectively to analyze phishing email, we are now ready to run our first analysis.
Forwarding an email to ThePhish for analysis
The first step to analyze phishing email, is forwarding the suspicious looking email to the email configured on ThePhish. Using a Gmail email is recommended. On the image below we will are forwarding the suspicious email to ThePhish email. The forwarded email should be in “.eml” format to avoid running into errors to analyze phishing email.
Analyze phishing email on ThePhish
After forwarding the phishing email, the analyst will receive find the email on ThePhish ready for analysis as shown in the image below. From ThePhish panel, the analyst will be able to start the analysis of the email.
When analysis of the phishing email begins, you can view the progress logs of the analysis process as shown on the image below.
In the background ThePhish creates a case on the TheHive and all the observable features important for the analysis i.e domains, attachments and IP addresses are extracted. All the observable features are added to the case.
In the case created on TheHive, three tasks are created which help to analyze phishing email (ThePhish result, ThePhish analysis, ThePhish notification). The observables found on the suspicious email are extracted which will be exported to MISP.
ThePhish analysis notification - This notifies the user that his/her submission has been received and analysis of the email has began. An example is shown on the image below.
ThePhish result - This comes after the analysis is over, in this notification we have the final verdict to analyze phishing email.
On the image below is an example of the observable features and how they have been classified by the already configured analyzers.
Once the analyzers are finished and the verdict is calculated. If the final verdict after analyzing phishing email is malicious, all the observable features in the email are marked as IoC. In the image below we see an example of an observable found while we were analyzing phishing email.
Creating an event on MISP
Each of the observables extracted represent the case which is exported as an event in MISP as shown on the image below.
ThePhish will now send an email containing the verdict to the user via the Mail responder. An example of a verdict from analyze phishing email using ThePhish is as shown below.
This whole process takes not more than 5 minutes, this means that the attacker has not yet done any damage hence a True Positive. On ThePhish a final verdict of the analysis is also provided. The image below is an example of the verdict we got.
If there was no suspicious details found while analyzing phishing email, then the email would be termed safe by ThePhish. After the verdict is given on Thephish, a analyst can still consider looking deeper into the email under question. On the left side of ThePhish window, there are links to Cortex, MISP and TheHive.
In the above guide we were able to use ThePhish to analyze phishing email. ThePhish uses other open source yet powerful tools (MISP, Cortex and TheHive). ThePhish makes it easier even for the user who forwards a suspicious email for analysis to ThePhish. It also provides for the intervention of the analyst to analyze phishing email. Incase the analyst is not satisfied with the final verdict he can go on to reopen the case on TheHive.
Automated submission of the IoC to MISP helps improve the platform with each analysis done around the world hence making MISP a very powerful tool when used for email analysis.