Analyze phishing email using Thephish [100% Working]


Ethical hacking

Reviewer: Deepak Prasad

Hello learners, in this guide we will be analyze phishing email using Thephish. Thephish is an open source and the most complete phishing email analysis tool. It is used by researchers to open and carry on evidence collection on suspected phishing emails and the attachments on the email. Thephish is able to analyze a phishing email and giving a final verdict. It also allows a analyst to to intervene in the analysis of a phishing email if necessary.

ThePhish uses MISP, Cortex and TheHive to analyze phishing email.

 

Requirements

  • Have Kali OS
  • Have python3.8 installed.
  • Have Docker installed.
  • Be connected to the internet as you run the analysis.

 

Some important terminologies

MISP

MISP stands for Malware Information Sharing Platform. It is a threat intelligence sharing platforms. It helps analyst access different indicators of compromise (IoC) shared by people from around the world. MISP is open source hence free for use by anyone. The indicators of compromise used in analyze phishing email, are from commercial and open source platforms.

 

Cortex

This is an analysis engine from which the analyst analyzes the observables. Cortex uses a Web user interfaces to perform the analysis. The advantage of using Cortex is that it has many analyzers all in one place from where they can be used to analyze phishing email.

 

TheHive

It is a free incident response platform which was designed to ease the work of security practitioners. Moreover, it deals with the security incidents that requires investigation and be acted upon quickly.

 

Installing Thephish with Docker and Docker Compose

We first clone Thephish tool from their official github repository.  We clone the repository using the below command to our desired folder on the PC.

 git clone https://github.com/emalderson/ThePhish.git

After download is complete, we change to ThePhish directory from where we will run the multi-container application.

$ cd ThePhish/docker
$ docker-compose up
NOTE:
If you see many errors, this may be caused by file ownership permissions. We need to stop the already running application and change the ownership of the files.
$ docker-compose stop

$ sudo chown -R 1000:1000 vol/index vol/data vol/elastic*

After applying the changes we restart the application.

$ docker-compose up

After you restart the application make sure you configure according to the configurations guide provided to run ThePhish on docker. After you are done with configuring the servers and containers needed to run ThePhish effectively to analyze phishing email, we are now ready to run our first analysis.

 

Forwarding an email to ThePhish for analysis

The first step to analyze phishing email, is forwarding the suspicious looking email to the email configured on ThePhish. Using a Gmail email is recommended. On the image below we will are forwarding the suspicious email to ThePhish email. The forwarded email should be in “.eml” format to avoid running into errors to analyze phishing email.

analyze phishing email

 

Analyze phishing email on ThePhish

After forwarding the phishing email, the analyst will receive find the email on ThePhish ready for analysis as shown in the image below. From ThePhish panel, the analyst will be able to start the analysis of the email.

analyze phishing email

 

When analysis of the phishing email begins, you can view the progress logs of the analysis process as shown on the image below.

In the background ThePhish creates a case on the TheHive and all the observable features important for the analysis  i.e domains, attachments and IP addresses are extracted. All the observable features are added to the case.

analyze phishing email

 

In the case created on TheHive, three tasks are created which help to analyze phishing email (ThePhish result, ThePhish analysis, ThePhish notification). The observables found on the suspicious email are extracted which will be exported to MISP.

ThePhish analysis notification - This notifies the user that his/her submission has been received and analysis of the email has began. An example is shown on the image below.

analyze phishing email

 

ThePhish result - This comes after the analysis is over, in this notification we have the final verdict to analyze phishing email.

On the image below is an example of the observable features and how they have been classified by the already configured analyzers.

Analyze phishing email using Thephish [100% Working]

 

Once the analyzers are finished and the verdict is calculated. If the final verdict after analyzing phishing email is malicious, all the observable features in the email are marked as IoC. In the image below we see an example of an observable found while we were analyzing phishing email.

Analyze phishing email using Thephish [100% Working]

 

Creating an event on MISP

Each of the observables extracted represent the case which is exported as an event in MISP as shown on the image below.

analyzing a phising email

 

ThePhish will now send an email containing the verdict to the user via the Mail responder. An example of a verdict from analyze phishing email using ThePhish is as shown below.

Analyze phishing email using Thephish [100% Working]

 

This whole process takes not more than 5 minutes, this means that the attacker has not yet done any damage hence a True Positive. On ThePhish a final verdict of the analysis is also provided. The image below is an example of the verdict we got.

Analyze phishing email using Thephish [100% Working]

If there was no suspicious details found while analyzing phishing email, then the email would be termed safe by ThePhish. After the verdict is given on Thephish, a analyst can still consider looking deeper into the email under question. On the left side of ThePhish window, there are links to Cortex, MISP and TheHive. 

 

Conclusion

In the above guide we were able to use ThePhish to analyze phishing email. ThePhish uses other open source yet powerful tools (MISP, Cortex and TheHive). ThePhish makes it easier even for the user who forwards a suspicious email for analysis to ThePhish. It also provides for the intervention of the analyst to analyze phishing email. Incase the analyst is not satisfied with the final verdict he can go on to reopen the case on TheHive.

Automated submission of the IoC to MISP helps improve the platform with each analysis done around the world hence making MISP a very powerful tool when used for email analysis.

 

Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

3 thoughts on “Analyze phishing email using Thephish [100% Working]”

  1. └─$ docker-compose up
    WARNING: The http_proxy variable is not set. Defaulting to a blank string.
    WARNING: The https_proxy variable is not set. Defaulting to a blank string.
    Traceback (most recent call last):
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
        httplib_response = self._make_request(
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 398, in _make_request
        conn.request(method, url, **httplib_request_kw)
      File "/usr/lib/python3.10/http/client.py", line 1282, in request
        self._send_request(method, url, body, headers, encode_chunked)
      File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
        self.endheaders(body, encode_chunked=encode_chunked)
      File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
        self._send_output(message_body, encode_chunked=encode_chunked)
      File "/usr/lib/python3.10/http/client.py", line 1037, in _send_output
        self.send(msg)
      File "/usr/lib/python3.10/http/client.py", line 975, in send
        self.connect()
      File "/usr/lib/python3/dist-packages/docker/transport/unixconn.py", line 30, in connect
        sock.connect(self.unix_socket)
    PermissionError: [Errno 13] Permission denied

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/home/xor/.local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
        resp = conn.urlopen(
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
        retries = retries.increment(
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/util/retry.py", line 550, in increment
        raise six.reraise(type(error), error, _stacktrace)
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/packages/six.py", line 769, in reraise
        raise value.with_traceback(tb)
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
        httplib_response = self._make_request(
      File "/home/xor/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 398, in _make_request
        conn.request(method, url, **httplib_request_kw)
      File "/usr/lib/python3.10/http/client.py", line 1282, in request
        self._send_request(method, url, body, headers, encode_chunked)
      File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
        self.endheaders(body, encode_chunked=encode_chunked)
      File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
        self._send_output(message_body, encode_chunked=encode_chunked)
      File "/usr/lib/python3.10/http/client.py", line 1037, in _send_output
        self.send(msg)
      File "/usr/lib/python3.10/http/client.py", line 975, in send
        self.connect()
      File "/usr/lib/python3/dist-packages/docker/transport/unixconn.py", line 30, in connect
        sock.connect(self.unix_socket)
    urllib3.exceptions.ProtocolError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/docker/api/client.py", line 214, in _retrieve_server_version
        return self.version(api_version=False)["ApiVersion"]
      File "/usr/lib/python3/dist-packages/docker/api/daemon.py", line 181, in version
        return self._result(self._get(url), json=True)
      File "/usr/lib/python3/dist-packages/docker/utils/decorators.py", line 46, in inner
        return f(self, *args, **kwargs)
      File "/usr/lib/python3/dist-packages/docker/api/client.py", line 237, in _get
        return self.get(url, **self._set_request_timeout(kwargs))
      File "/home/xor/.local/lib/python3.10/site-packages/requests/sessions.py", line 600, in get
        return self.request("GET", url, **kwargs)
      File "/home/xor/.local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
        resp = self.send(prep, **send_kwargs)
      File "/home/xor/.local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
        r = adapter.send(request, **kwargs)
      File "/home/xor/.local/lib/python3.10/site-packages/requests/adapters.py", line 547, in send
        raise ConnectionError(err, request=request)
    requests.exceptions.ConnectionError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/bin/docker-compose", line 33, in 
        sys.exit(load_entry_point('docker-compose==1.29.2', 'console_scripts', 'docker-compose')())
      File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 81, in main
        command_func()
      File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 200, in perform_command
        project = project_from_options('.', options)
      File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 60, in project_from_options
        return get_project(
      File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 152, in get_project
        client = get_client(
      File "/usr/lib/python3/dist-packages/compose/cli/docker_client.py", line 41, in get_client
        client = docker_client(
      File "/usr/lib/python3/dist-packages/compose/cli/docker_client.py", line 170, in docker_client
        client = APIClient(use_ssh_client=not use_paramiko_ssh, **kwargs)
      File "/usr/lib/python3/dist-packages/docker/api/client.py", line 197, in __init__
        self._version = self._retrieve_server_version()
      File "/usr/lib/python3/dist-packages/docker/api/client.py", line 221, in _retrieve_server_version
        raise DockerException(
    docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
    Reply

Leave a Comment