How to install ThePhish with Docker?

Use the Docker Compose template in the 'docker' folder, which includes containers for TheHive, Cortex, MISP, and ThePhish. Follow the step-by-step guide in the README to configure services and API keys for a minimal setup.

ThePhish vs commercial phishing analysis tools: which is better?

ThePhish is open-source and integrates tightly with TheHive/Cortex, offering customization and no licensing costs. However, commercial tools may provide easier setup, support, and broader threat intelligence without the need for manual analyzer configuration.

What analyzers work best with ThePhish?

Free analyzers like URLhaus, PhishTank, and AbuseIPDB are recommended, but many require API keys. The README lists tested analyzers, with notes on those needing special handling, such as MISP for integration or Yara for attachment scanning.

How to configure the whitelist in ThePhish?

Edit the whitelist.json file to add domains, IPs, or other observables under exactMatching or regex sections. Examples show how to filter subdomains and emails containing specified domains to reduce false positives.

Can ThePhish analyze emails without TheHive?

No, ThePhish is designed around TheHive for case management and Cortex for analysis. Without them, core functionality like creating cases and running analyzers would be missing, making it impractical for standalone use.

How to handle suspicious verdicts in ThePhish?

When a verdict is suspicious, the web interface prompts analyst intervention. Use the integrated buttons to review details on TheHive and Cortex, then manually close the case or export to MISP, as described in the example usage section.

Open-Awesome

emalderson/thephish

AGPL-3.0Python

An automated phishing email analysis tool that extracts observables, integrates with TheHive/Cortex/MISP, and calculates verdicts.

GitHub

1.3k stars200 forks0 contributors

What is emalderson/thephish?

ThePhish is an automated phishing email analysis tool that processes suspicious emails forwarded by users. It extracts observables like URLs and domains, analyzes them using integrated security platforms (TheHive, Cortex, MISP), and provides a verdict to help security teams respond quickly. It automates the tedious parts of phishing investigation, reducing manual effort.

Target Audience

Security analysts, SOC teams, and IT security professionals who need to process and analyze phishing emails at scale. It's ideal for organizations using or willing to deploy TheHive, Cortex, and MISP in their security operations.

Value Proposition

Developers choose ThePhish because it provides a complete, open-source automation pipeline for phishing analysis, integrates seamlessly with popular security tools, and offers a user-friendly web interface. It reduces analysis time and ensures consistent processes compared to manual methods.

Overview

ThePhish: an automated phishing email analysis tool

Use Cases

Best For

Automating the triage and analysis of phishing emails reported by employees
Integrating phishing analysis into an existing TheHive/Cortex/MISP security stack
Reducing manual effort for SOC teams handling high volumes of phishing reports
Creating a self-hosted, automated phishing analysis workflow without commercial tools
Sharing phishing indicators with threat intelligence platforms via MISP
Building a customizable phishing analysis pipeline with configurable whitelists and analyzers

Not Ideal For

Organizations without an existing TheHive, Cortex, or MISP deployment, due to the significant setup and integration overhead
Teams needing quick, one-off analysis of phishing emails without a full automation pipeline or security stack
Environments requiring fully automated verdicts with zero manual analyst intervention, as suspicious cases need review
Security operations focused on non-email threats like SMS phishing or social media scams, since it's email-specific

Pros & Cons

Pros

End-to-End Automation

Automatically extracts observables from emails, submits them to Cortex analyzers, and calculates a verdict, streamlining the entire phishing analysis workflow as shown in the detailed implementation diagram.

Deep Security Stack Integration

Seamlessly creates cases in TheHive, leverages Cortex for analysis, and exports findings to MISP, fitting directly into existing SOC pipelines without extra steps.

Flexible Whitelist Management

Supports exact matching and regex for various observable types, including domains in subdomains and URLs, allowing precise control over false positive reduction as demonstrated in the whitelist.json example.

Interactive Web Interface

Provides real-time progress updates via WebSocket and allows analysts to intervene for inconclusive cases, balancing automation with oversight through the GUI shown in the demo screenshots.

Cons

Heavy Dependency Stack

Requires operational instances of TheHive, Cortex, MISP, and an IMAP email service, making the system brittle if any component fails or isn't properly configured.

Analyzer Configuration Complexity

Many Cortex analyzers need API keys, subscriptions, or have bugs requiring manual level adjustments in ThePhish's configuration files, as admitted in the 'Configure the analyzers' section.

Manual Code Patching Required

Users must manually add the run_responder function to TheHive4py, as stated in the installation guide, which is error-prone and may break with updates to dependencies.

Frequently Asked Questions

Related Projects

lobe-chat

🤯 LobeHub is your Chief Agent Operator, organizing your agents into 7×24 operations by hiring, scheduling, and reporting on your entire AI team.

Stars78,533

Forks15,405

Last commit18 hours ago

nerd-fonts

Iconic font aggregator, collection, & patcher. 3,600+ icons, 50+ patched fonts: Hack, Source Code Pro, more. Glyph collections: Font Awesome, Material Design Icons, Octicons, & more

Stars63,317

Forks3,898

Last commit2 months ago

sniffnet

Comfortably monitor your Internet traffic 🕵️‍♂️

Stars39,079

Forks1,643

Last commit4 days ago

httpie

🥧 HTTPie CLI — modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more.

Stars38,199

Forks3,945

Last commit1 year ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub