ThePhish: an automated phishing email analysis tool

Last update: Jan 3, 2023

Overview

ThePhish

ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and based on Flask that automates the entire analysis process starting from the extraction of the observables from the header and the body of an email to the elaboration of a verdict which is final in most cases. In addition, it allows the analyst to intervene in the analysis process and obtain further details on the email being analyzed if necessary. In order to interact with TheHive and Cortex, it uses TheHive4py and Cortex4py, which are the Python API clients that allow using the REST APIs made available by TheHive and Cortex respectively.

Overview
ThePhish example usage
- A user sends an email to ThePhish
- The analyst analyzes the email
Implementation
Installation
- Install it using Docker and Docker Compose
- Install it from scratch
Configure the analyzers
Enable the Mailer responder
Use the whitelist
Contribution to TheHive4py
License
Credits

Overview

The following diagram shows how ThePhish works at high-level:

An attacker starts a phishing campaign and sends a phishing email to a user.
A user who receives such an email can send that email as an attachment to the mailbox used by ThePhish.
The analyst interacts with ThePhish and selects the email to analyze.
ThePhish extracts all the observables from the email and creates a case on TheHive. The observables are analyzed thanks to Cortex and its analyzers.
ThePhish calculates a verdict based on the verdicts of the analyzers.
If the verdict is final, the case is closed and the user is notified. In addition, if it is a malicious email, the case is exported to MISP.
If the verdict is not final, the analyst's intervention is required. He must review the case on TheHive along with the results given by the various analyzers to formulate a verdict, then it can send the notification to the user, optionally export the case to MISP and close the case.

ThePhish example usage

This example aims to demonstrate how a user can send an email to ThePhish for it to be analyzed and how an analyst can actually analyze that email using ThePhish.

A user sends an email to ThePhish

A user can send an email to the email address used by ThePhish to fetch the emails to analyze. The email has to be forwarded as an attachment in EML format so as to prevent the contamination of the email header. In this case, the used mail client is Mozilla Thunderbird and the used email address is a Gmail address.

The analyst analyzes the email

The analyst navigates to the web page of ThePhish and clicks on the "List emails" button to obtain the list of emails to analyze.

When the analyst clicks on the "Analyze" button related to the selected email, the analysis is started and its progress is shown on the web interface.

In the meantime, ThePhish extracts the observables (URLs, domains, IP addresses, email addresses, attachments and hashes of those attachments) from the email and then interacts with TheHive to create the case.

Three tasks are created inside the case.

Then, ThePhish starts adding the extracted observables to the case.

At this point the user is notified via email that the analysis has started thanks to the Mailer responder.

The description of the first task allows the Mailer responder to send the notification via email.

After the first task is closed, the second task is started and the analyzers are started on the observables. The analysis progress is shown on the web interface while the analyzers are started.

The analysis progress can also be viewed on TheHive, thanks to its live stream.

Once all the analyzers have terminated their execution, the second task is closed and the third one is started, then ThePhish calculates the verdict. Since the verdict is "malicious", all the observables that are found to be malicious are marked as IoC. In this case only one observable is marked as IoC.

The case is then exported to MISP as an event, with a single attribute represented by the observable mentioned above.

Then, ThePhish sends the verdict via email to the user thanks to the Mailer responder.

Finally, both the task and the case are closed. The description of the third task allows the Mailer responder to send the verdict via email. Moreover, the case has been closed after five minutes and resolved as "True Positive" with "No Impact", which means that the attack has been detected before it could do any damage.

Once the case is closed, the verdict is available for the analyst on the web interface together with the entire log of the analysis progress.

At this point the analyst can go back and analyze another email. The above-depicted case was related to a phishing email, but a similar workflow can be observed when the analyzed email is classified as "safe". Indeed, the case is closed and the verdict is sent via email to the user.

Then, the verdict is also displayed to the analyst on the web interface.

On the other hand, when an email is classified as "suspicious", the verdict is only displayed to the analyst on the web interface.

At this point the analyst needs to use the buttons on the left-hand side of the page to use TheHive, Cortex and MISP for further analysis. This is because the analysis has not been completed yet and so the user is only notified that the analysis of the email that he forwarded to ThePhish has been started. Indeed, the last task and the case have not been closed yet since they need to be closed by the analyst himself once he elaborates a final verdict.

The analyst can view the reports of all the analyzers on TheHive and Cortex and, in case this revealed not to be enough, he could also download the EML file of the email and analyze it manually.

When the analyst terminates the analysis, he can populate the body of the email to send to the user in the description of the last task, start the Mailer responder, export the case to MISP if the verdict is "malicious" by clicking on the "Export" button and then close the case.

Implementation

ThePhish is a web application written in Python 3. The web server is implemented using Flask, while the front-end part of the application, which is the dynamic page written in HTML, CSS and JavaScript, is implemented using Bootstrap. Apart from the web server module, the back-end logic of the application is constituted by three Python modules that encapsulate the logic of the application itself and a Python class used to support the logging facility through the WebSocket protocol. If you want to see a graphical representation of the application logic, click here. Moreover, there are several configuration files used by the aforementioned modules that serve various purposes.

When the analyst navigates to the base URL of the application, the web page of ThePhish is loaded and a bi-directional connection is established with the server. This is done by using the Socket.IO JavaScript library in the web page that enables real-time, bi-directional and event-based communication between the browser and the server. This connection is established with a WebSocket connection whenever possible and will use HTTP long polling as a fallback. For this to work, the server application uses the Flask-SocketIO Python library, which provides a Socket.IO integration for Flask applications. This connection is then used by ThePhish to display the progress of the analysis on the web interface.

Every time the analyst performs an action on the web interface, an AJAX request is sent to the server, which is an asynchronous HTTP request that permits to exchange data with the server in the background and update the page without reloading it. This allows the analyst both to visualize the list of emails to analyze and to make the analysis start.

ThePhish interacts with TheHive and Cortex thanks to TheHive4py and Cortex4py. Moreover, it interacts with an IMAP server to retrieve the emails to analyze.

Installation

Install it using Docker and Docker Compose

Since the installation and configuration of TheHive, Cortex and MISP services from scratch for a production environment may not be extremely straightforward, TheHive Project provides Docker images and Docker Compose templates here to facilitate the installation procedure. For the sake of simplicity, the provided templates are made simple, without providing the full configuration options of each docker image.

If you only want to try ThePhish or you want to have it up and running as fast as possible, you can use the provided Docker Template in the docker folder, which is a modified version of one of the Docker Templates provided by TheHive Project that also allows creating a ThePhish container. To install ThePhish using Docker and Docker Compose, please refer to this guide. I strongly recommend that you install it this way at least the first time you use it so that you can learn the basics and how to configure it with a minimal configuration that should work on the first try. Indeed, the previously linked guide also provides a step-by-step procedure to configure the TheHive, Cortex and MISP instances.

Install it from scratch

This guide refers to the sole installation of ThePhish, which requires:

An up-and-running instance of TheHive
An up-and-running instance of Cortex
An up-and-running instance of MISP
An email address that users can use to send emails to ThePhish
A Linux-based OS with Python 3.8+ installed

In order to install, configure and integrate TheHive, Cortex and MISP instances, please refer to their official documentation:

It is advisable that the email address from which ThePhish fetches the emails to analyze be a Gmail address since it is the one with which ThePhish has been tested the most. It is preferable that the account is a newly created one, with the sole purpose of being used by ThePhish. Here is explained the procedure to activate the app password that is required by ThePhish to connect to the mailbox and fetch the emails.

Once TheHive, Cortex and MISP are configured and listening at a certain URL and the email address is ready to use, you can install and configure ThePhish.

Clone the repository

$ git clone https://github.com/emalderson/ThePhish.git

Create a Python virtual environment and activate it (it is good practice but it is not required)

$ cd ThePhish/app
$ sudo apt install python3-venv
$ python3 -m venv venv
$ source venv/bin/activate

Install the requirements
```
$ pip install -r requirements.txt
```

Add the run_responder() function to the file api.py of TheHive4py

In order to send emails to the user, ThePhish uses the Mailer responder. Since ThePhish uses TheHive4py to interact with TheHive, a function that allows running a responder by its ID is needed. Unfortunately, this function is not part of TheHive4py yet, but a pull request has been made to add it to TheHive4py (#219). While waiting for it to be added, it must be manually added using the following command for ThePhish to work properly (replace the version of Python in the command if you use a different version of Python):

$ (cat << _EOF_


    def run_responder(self, responder_id, object_type, object_id):
        req = self.url + "/api/connector/cortex/action"
        try:
            data = json.dumps({ "responderId": responder_id, "objectType": object_type, "objectId": object_id})
            return requests.post(req, headers={"Content-Type": "application/json"}, data=data, proxies=self.proxies, auth=self.auth, verify=self.cert)
        except requests.exceptions.RequestException as e:
            raise TheHiveException("Responder run error: {}".format(e))
_EOF_
) | tee -a venv/lib/python3.8/site-packages/thehive4py/api.py > /dev/null

Configuration

The file configuration.json is the global configuration file that allows setting the parameters for the connection to the mailbox and to the instances of TheHive, Cortex and MISP. It also allows setting parameters related to the cases that will be created on TheHive.
```
{
	"imap" : {
		"host" : "imap.gmail.com",
		"port" : "993",
		"user" : "",
		"password" : "",
		"folder" : "inbox"
	},
	"thehive" : {
		"url" : "http://thehive:9000",
		"apikey" : ""
	},
	"cortex" : {
		"url" : "http://cortex:9001",
		"apikey" : "",
		"id" : "local"
	},
	"misp" : {
		"id" : "MISP THP"
	},
	"case" : {
		"tlp" : "2",
		"pap" : "2",
		"tags" : ["email", "ThePhish"]
	}
}
```
- In the imap part, if you are using a Gmail address, you only need to set the username used to connect to the IMAP server (which is your email address) and the app password.
- In the thehive part you have to set the URL at which the TheHive instance is reachable and set the API key of the user created on TheHive that ThePhish will use to interact with TheHive.
- In the cortex part you have to set the URL at which the Cortex instance is reachable and set the API key of the user created on Cortex that both ThePhish and TheHive will use to interact with Cortex. Moreover, you have to set the ID given to the Cortex instance.
- In the misp part you only have to set the ID given to the MISP instance.
- In the case part you can set the default TLP and PAP levels for the cases created by ThePhish and also the tags that will be applied to them at their creation.
You can learn how to create a user on TheHive and obtain its API key here or here. Similarly, you can learn how to create a user on Cortex and obtain its API key here or here.

The URLs and the IDs that are set in this file must be the same that are set in the configuration file of TheHive named application.conf. Indeed, this file is used to integrate TheHive with Cortex and MISP. You can learn how to do that for Cortex here or here, while for MISP you can go here or here.

The URLs at which TheHive, Cortex and MISP instances are reachable should also be replaced in the file templates/index.html so that the buttons on the web interface will be able to reach them. To do that, replace the last three href of this portion of code:
```
<ul class="navbar-nav text-light" id="accordionSidebar">
    <li class="nav-item"><a class="nav-link active" href="/" style="max-width: 114px;" target="_blank" rel="noopener noreferrer"><img class="img-fluid" data-bss-hover-animate="bounce" src="../static/assets/img/logo_rounded.png" style="margin-top: 0px;margin-left: 0px;"></a></li>
    <li class="nav-item"><a class="nav-link" href="http://thehive:9000" style="max-width: 114px;" target="_blank" rel="noopener noreferrer"><img class="img-fluid" data-bss-hover-animate="bounce" src="../static/assets/img/thehive.png" style="margin-right: 0px;margin-left: 0px;"></a></li>
    <li class="nav-item"><a class="nav-link" href="http://cortex:9001" style="max-width: 114px;" target="_blank" rel="noopener noreferrer"><img class="img-fluid" data-bss-hover-animate="bounce" src="../static/assets/img/cortex.png" style="transform: translate(0px);"></a></li>
    <li class="nav-item"><a class="nav-link" href="https://misp" style="max-width: 114px;" target="_blank" rel="noopener noreferrer"><img class="img-fluid" data-bss-hover-animate="bounce" src="../static/assets/img/misp.png" style="transform: translate(0px);"></a></li>
</ul>
```
Start the app
```
$ python3 thephish_app.py
```
The server that will be used to run the application is the WSGI server provided by eventlet, since it is listed in the requirements. It is needed for the WebSocket protocol to work and avoid falling back to HTTP long polling. Without eventlet, the default Flask WSGI server (Werkzeug) will be used. If you wish to use another WSGI server (e.g. Gunicorn) or use a reverse proxy (e.g. NGINX), the Flask-SocketIO documentation explains how to do that.

Now the application should be reachable at http://localhost:8080.

⚠️ Warning: If you are using Mozilla Firefox to use ThePhish and for some reason an error message appears during the analysis, the solution may be found here.

Configure the analyzers

ThePhish can start an analyzer or a responder only if it is enabled and correctly configured on Cortex. This part of the documentation explains how to enable them, while this part lists the available analyzers and responders with their configuration parameters. It should be noted that while many analyzers are free to use, some require special access and others necessitate a valid service subscription or product license.

Configure the levels of the analyzers

Each analyzer outputs a report in JSON format that contains a maliciousness level for an observable that can be one of "info", "safe", "suspicious" or "malicious". However, even though the report structure usually follows a convention, this convention is not always respected. Moreover, after the analysis of the code of many analyzers and several tests, some analyzers have been found to contain bugs. For this reason, some tweaks and workarounds have been used either to obtain the maliciousness levels provided by these analyzers anyway or to prevent the application from crashing due to those bugs.

Furthermore, these levels do not always represent the real maliciousness level of an observable. Since this depends on how the analyzers themselves have been programmed, ThePhish comes with another configuration file called analyzers_level_conf.json, with which it is possible to create a mapping between the actual maliciousness levels provided by any analyzer and the levels decided by the analyst. Besides that, this file allows the analyst to choose what are the observable types to which these modifications should be applied. The file needs to follow the structure shown in the example here, using the exact name of the analyzers to configure and with the desired level on the right. If an analyzer is not listed in this file, then the maliciousness levels it provides are left untouched. The file needs to follow the structure shown in the following example, using the exact name of the analyzers to configure and with the desired level on the right. If an analyzer is not listed in this file, then the maliciousness levels it provides are left untouched.

{
	"DomainMailSPFDMARC_Analyzer_1_1" : {
		"dataType" : ["url", "ip", "domain", "mail"],
		"levelMapping" : {
			"malicious" : "suspicious",
			"suspicious" : "suspicious",
			"safe" : "safe",
			"info" : "info"
		}
	},
	"MISP_2_1" : {
		"dataType" : ["url", "ip", "domain", "mail"],
		"levelMapping" : {
			"malicious" : "malicious",
			"suspicious" : "malicious",
			"safe" : "safe",
			"info" : "info"
		}
	},
	"VirusTotal_GetReport_3_0" : {
		"dataType" : ["ip", "domain"],
		"levelMapping" : {
			"malicious" : "info",
			"suspicious" : "info",
			"safe" : "safe",
			"info" : "info"
		}
	}
}

In this example, the level "suspicious" for the MISP_2_1 analyzer is raised to "malicious" since it indicates that some observables in the email being currently analyzed have already been sighted in a previously analyzed email for which the verdict was "malicious". Conversely, the level "malicious" of the DomainMailSPFDMARC_Analyzer_1_1 analyzer is lowered to "suspicious", since many legitimate domains do not have DMARC and SPF records configured. Moreover, the levels "suspicious" and "malicious" given by the VirusTotal_GetReport_3_0 analyzer for IP addresses and domains are lowered to "info" since they have been observed to lead to lots of false positives.

You can add or remove analyzers in this file at your will, but I recommend that you leave the ones that are already present in the file untouched since those modifications have been motivated by many tests performed on a lot of different emails.

Tested analyzers

ThePhish has been tested with the following analyzers:

AbuseIPDB_1_0
AnyRun_Sandbox_Analysis_1_0
CyberCrime-Tracker_1_0
Cyberprotect_ThreatScore_3_0
DomainMailSPFDMARC_Analyzer_1_1
DShield_lookup_1_0
EmailRep_1_0
FileInfo_8_0
Fortiguard_URLCategory_2_1
IPinfo_Details_1_0
IPVoid_1_0
Maltiverse_Report_1_0
Malwares_GetReport_1_0
Malwares_Scan_1_0
MaxMind_GeoIP_4_0
MetaDefenderCloud_GetReport_1_0
MISP_2_1
Onyphe_Summary_1_0
OTXQuery_2_0
PassiveTotal_Enrichment_2_0
PassiveTotal_Malware_2_0
PassiveTotal_Osint_2_0
PassiveTotal_Ssl_Certificate_Details_2_0
PassiveTotal_Ssl_Certificate_History_2_0
PassiveTotal_Unique_Resolutions_2_0
PassiveTotal_Whois_Details_2_0
PhishTank_CheckURL_2_1
Pulsedive_GetIndicator_1_0
Robtex_Forward_PDNS_Query_1_0
Robtex_IP_Query_1_0
Robtex_Reverse_PDNS_Query_1_0
Shodan_DNSResolve_1_0
Shodan_Host_1_0
Shodan_Host_History_1_0
Shodan_InfoDomain_1_0
SpamhausDBL_1_0
StopForumSpam_1_0
Threatcrowd_1_0
UnshortenLink_1_2
URLhaus_2_0
Urlscan_io_Scan_0_1_0
Urlscan_io_Search_0_1_1
VirusTotal_GetReport_3_0
VirusTotal_Scan_3_0
Yara_2_0

The analyzers emphasized in italic are the ones for which the levels have been modified (but that can be overridden, even though it is not advisable), while the analyzers emphasized in bold are the ones that are handled directly in the code of ThePhish either because they do not respect the convention for the report structure, or because they have bugs. Moreover, the following analyzers are handled in the code of ThePhish to use them in the best possible manner:

DomainMailSPFDMARC_Analyzer_1_1: It is started only on domains that are supposed to be able to send emails.
MISP_2_1: It is used for the integration with MISP.
UnshortenLink_1_2: It is started before any other analyzer on a URL so as to make it possible to unshorten a link and add the unshortened link as an additional observable.
Yara_2_0: It is the only one that is started on the EML attachment.

Enable the MISP analyzer

In order to integrate Cortex with MISP, you must activate the MISP_2_1 analyzer and configure it with the authorization key of the user created on MISP that Cortex will use to interact with MISP. This means that a user must be created on MISP beforehand (you can learn how to do that here or here).

Enable the Yara analyzer

If you want to use the Yara_2_0 analyzer, you must create a folder on the machine on which Cortex is running that contains:

The Yara rules, where each rule is a file with the .yar extension
A file named index.yar, which contains a line for each Yara rule in that folder that respects this syntax: include "yara_rule_name.yar"

Then, you must configure the path of this folder on Cortex. For example, if you created the folder yara_rules in the path /opt/cortex, then you need to configure the path /opt/cortex/yara_rules on Cortex (on the web interface).

Enable the Mailer responder

In order to send the emails to the users, the Mailer responder must be enabled and correctly configured. The procedure used to enable a responder is identical to the procedure used to enable an analyzer. If you are using a Gmail address, these are the correct parameters to set:

from: <YourGmailEmailAddress>
smtp_host :smtp.gmail.com
smtp_port: 587
smtp_user: <YourGmailEmailAddress>
smtp_pwd: <YourGmailEmailAddressAppPassword>

Use the whitelist

ThePhish allows creating a whitelist in order to avoid analyzing observables that may cause false positives or that the analyst decides that they should not be considered during the analysis. The whitelist is contained in a file named whitelist.json and is constituted by many different lists so as to offer great flexibility both in terms of observable types to match and matching modes. It supports the following matching modes:

Exact string matching for email addresses, IP addresses, URLs, domains, file names, file types and hashes
Regex matching for email addresses, IP addresses, URLs, domains and file names
Regex matching for subdomains, email addresses and URLs that contain the specified domains

Here is shown a toy example of the whitelist.json file.

{	
	"exactMatching": {
		"mail" : [],
		"ip" : [
			"127.0.0.1",
			"8.8.8.8",
			"8.8.4.4"
		],
		"url" : [],
		"domain" : [
			"adf.ly",
			"paypal.com"
		],
		"filename" : [],
		"filetype" : [
			"application/pdf"
		],
		"hash" : []
	},
	"domainsInSubdomains" : [
		"paypal.com"
	],
	"domainsInURLs" : [
		"paypal.com"
	],
	"domainsInEmails" : [
		"paypal.com"
	],
	"regexMatching" : {
		"mail" : [],
		"ip" : [
			"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}",
			"172\\.16\\.\\d{1,3}\\.\\d{1,3}",
			"192\\.168\\.\\d{1,3}\\.\\d{1,3}"
		],
		"url" : [],
		"domain" : [],
		"filename" : []
	}
}

While both the parts related to exact matching and regex matching are used without any modification, the remaining parts are used to create three more lists of regular expressions. It is not required for you to design complex regular expressions to enable those features, but you only need to add the domains to the right lists and ThePhish will do the rest. For instance, in the example shown above, not only the domain "paypal.com" is filtered, but any subdomain, URL and email address containing the domain "paypal.com" is filtered as well. These regular expressions have been designed to avoid some unwanted behaviors, for instance they prevent domains like "paypal.com.attacker.com" to be mistakenly whitelisted. The whitelist file which is provided in this repository is already populated with some whitelisted observables, but it is just an example, you can (and should) edit it to suit your needs by removing or adding elements.

Contribution to TheHive4py

ThePhish uses a great feature of TheHive which is the possibility of exporting a case to MISP as an event. This makes it possible to use the MISP_2_1 analyzer to search for a match between an observable in a case and an attribute of one of those events on MISP. Unfortunately, during the first development stages of ThePhish, a function that allowed to do this via API in Python was not available in TheHive4py yet. For this reason, a pull request (#187) has been made to TheHive4py to add such functionality. The pull request has been accepted and the function export_to_misp() has been added to the 1.8.0 milestone of TheHive4py.

License

ThePhish is an open-source and free software released under the AGPL (Affero General Public License).

Credits

I would like to thank Xavier Mertens (xme) for having developed IMAP2TheHive and published it on GitHub, since it has been the initial spark that led to the development of this project and from which the code of ThePhish has taken a cue.

I would also like to thank Gianmarco, Alberto and Bernardina, who helped me in the early stages of the development of the application with the ideas, the initial deployment, the first tests and the presentation of the first beta version.

Comments

[BUG]Documentation

you need to have a Case Template created in TheHive named 'ThePhish' or you get an error. When my only Case Template was named reported-email I kept getting errors and it would not kick off Analysis.
bug

opened by mclancy10006 15
[Bug] Attachments (txt) are not parsed
Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | OS version (server) | Ubuntu 20.04.03 | | OS version (client) | Ubuntu 20.04.03 | | Python version |Python 3.8.10 | | Type of email address used | Gmail | | Mail client type & version | Thunderbird | | Browser type & version | Firefox | | Virtualized Env. | True | | Dedicated RAM | 4 GB | | vCPU | 2 | | ThePhish version | recent | | TheHive version | 4.1.11-1 | | Cortex version | 3.1.1-1 | | MISP version | not used | | Installed using Docker and Docker Compose | False | | Docker Version | If applicable | | Docker Compose version | If applicable |

Question

Hi, first of all thank you for developing this tool.

A) - Attachments are not parsed

My Problem is that Attachments of an E-Mail are not parsed. This is what i do:

Want to analyze this Mail with invoice.txt attached

Forward mail via Thunderbird to ThePish Gmail-Account

Start ThePhish Analysis

invoice.txt is not listed in observable and not analyzed

If i download the mail in TheHive (ziped) invoice.txt is still attached to the mail so it seems that the mail is received correctly by ThePhish but invoice.txt is not recolonized.

.txt is not whitelisted.

Am i missing something here? Can you help me out?

B) - html-tags for hyperlinks gets recolonized as part of the URL

Moreover some html-tags for hyperlinks gets recolonized as part of the URL as u can see here:

C) - mini report from the URL-Haus Analyzer is not shown in observables

Independent from the ThePhish i recognized another little issue, maybe u have a solution for that or you can give me hint how to debug this: The mini report from the URL-Haus Analyzer is not shown in observables But it has hits

Do you have any idea how to fix that?

Thank you!

Claudio
bug
opened by ClaudioWayne 9
[BUG] listing Emails

Hello again, i set up ThePhish from scratch and integrated theHive, MISP and Cortex correctly. When trying to fetch Emails though i get the following traceback. I tested 2 Email-Adresses, using the data i already used sucessfully on a docker build.

[ERROR]_[list_emails]: Error while trying to connect to IMAP server: Traceback (most recent call last): File "/etc/ThePhish/app/list_emails.py", line 243, in main connection = connect_to_IMAP_server() File "/etc/ThePhish/app/list_emails.py", line 21, in connect_to_IMAP_server connection.login(config['imapUser'], config['imapPassword']) File "/usr/lib/python3.8/imaplib.py", line 601, in login typ, dat = self._simple_command('LOGIN', user, self._quote(password)) File "/usr/lib/python3.8/imaplib.py", line 1205, in _simple_command return self._command_complete(name, self._command(name, *args)) File "/usr/lib/python3.8/imaplib.py", line 1030, in _command_complete raise self.error('%s command error: %s %s' % (name, typ, data)) imaplib.IMAP4.error: LOGIN command error: BAD [b'Not enough arguments provided 8mb428246745wrb']

Work environment | -------------------------- | ------------------------------------- | | OS version (server) | Ubuntu 20.04.4 | | OS version (client) | Ubuntu 20.04.4 | | Python version | 3.8.10 | | Type of email address used | Gmail, 365 | | Browser type & version | Firefox, Chromium | | Virtualized Env. | True | | Dedicated RAM | 24 GB | | vCPU | 8 | | ThePhish version | latest | | TheHive version | 4.1.22-1 | | Cortex version | 3.1.6-1 | | MISP version | 2.4.159 | | Installed using Docker and Docker Compose | False |

To Reproduce

start ThePhish with: cd /etc/ThePhish/app/ python3 thephish_app.py

navigate to localhost:8080 and click "List Emails"

Expected behavior

ThePhish connecting to inbox and getting Emails.

Screenshots

Solution I tried to search for that problem but couldn't find something helpfull. Would be great if you have an idea on how to resolve this issue.

Thanks in advance
bug

opened by Davdavidid 6
CortexJobID

Hi!!

First of all, thank you with all my heart for the development you launched, because I was doing something similar, but you already had everything practically done.

Second, I would like to see if you can help me with an error, since I do not know if I am misconfiguring the system.

When I send the email to be analyzed, it creates the case in thehive and sends me a notification email. M error lies when calling parsers ... it throws me the following error:

How could I solve this error?

Regards from Chile.

opened by jcandiat 5
[BUG] List emails not working

Describe the bug

ThePhish mentioned no e-mails to read, but mentioned that there are unread messages to process

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | OS version (server) | Kali Linux | | OS version (client) | Kali Linux | | Python version | | | Type of email address used | Gmail | | Mail client type & version | Gmail | | Browser type & version | Edge | | Virtualized Env. | True | | Dedicated RAM | 6.5 GB | | vCPU | 4 / 8 / 16 / 32 | | ThePhish version | | | TheHive version | | | Cortex version | | | MISP version | | | Installed using Docker and Docker Compose | True | | Docker Version | If applicable | | Docker Compose version | If applicable |

To Reproduce

Expected behavior

ThePhish should list the email

Screenshots

Additional context

I think I have enabled everything correct through the Docker method, but ThePhish is still unable to list emails. I also ensured to forward as attachment to "[email protected]", but still unable to list emails

Possible solutions

Keep this section if you have suggestions on how to solve the problem, otherwise delete it.
bug

opened by KaiJun-GP 4
[Question] How to troubleshoot "Error while trying to notify the start of analysis"

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | OS version (server) | Debian 11.. | | Python version |3.9 | | Type of email address used | Gmail | | Mail client type & version | gmail| | Browser type & version | Edge | | Virtualized Env. | True | | Dedicated RAM | 16 GB | | vCPU | 4 / 8 | | ThePhish version | | | TheHive version | 4.1.11-1 | | Cortex version | 3.1.1-1 | | MISP version | 2.4 | | Installed using Docker and Docker Compose | False | | Docker Version | If applicable | | Docker Compose version | If applicable |

Question

Describe the question/requirement as clearly as possible. Can't figure out how to get past this error when emailing a notification status. The analysis part runs, but then get stuck here.

[INFO][case_from_email]: Added observable file Payment Confirmation Invoice no#333339.eml to case 18 [ERROR][run_analysis]: Error while trying to notify the start of analysis: Traceback (most recent call last): File "/home/xxxxx/ThePhish/app/run_analysis.py", line 573, in main KeyError: 'Notification'

[ERROR]_[run_analysis]: Error while trying to notify the start of analysis: Traceback (most recent call last): File "/home/xxxxx/ThePhish/app/run_analysis.py", line 573, in main KeyError: 'Notification'
question

opened by mclancy10006 4
[Question] External API Call

Work environment

Question | Answer -- | -- OS version (server) | RHEL7, Docker OS version (client) | NA Python version | NA Type of email address used | NA Mail client type & version | NA Browser type & version | Firefox Virtualized Env. | True Dedicated RAM | NA vCPU | NA ThePhish version | Latest TheHive version | NA Cortex version | NA MISP version | NA Installed using Docker and Docker Compose | True Docker Version | 20.10.3 Docker Compose version | 1.29.0

Question

I started to POC ThePhish. Without configuring anything, I noticed in DevTools that ThePhish does external call to "fonts.googleapis.com" and "cdnjs.cloudflare.com".

ThePhish is installed in an environnement without internet access by default.

My question is : is it mandatory to open some external web address in proxies ?

Thanks in advance.
question

opened by gaglimax 2
[Question]

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | OS version (server) | Debian, Ubuntu | | OS version (client) | any | | Python version | 3.9.2| | Type of email address used | any | | Mail client type & version | any | | Browser type & version | any | | Virtualized Env. | False | | Dedicated RAM | 16 GB | | vCPU | 4 | | ThePhish version | 603eca6 | | TheHive version | 4.1.11-1 | | Cortex version | 3.1.1-1 | | MISP version | 2.4.150 | | Installed using Docker and Docker Compose | False | | Docker Version | n/a | | Docker Compose version | n/a |

Question

This may not be specifically an issue for ThePhish but hopefully you can shed some light on how to go about solving it appropriately.

In Cortex, we want to use HaveIBeenPwned (HIBP). When we submit a message from ThePhish to be analyzed, the EmlParser grabs all the email addresses in a message, including the To. Then Cortex dutifully sends each of these addresses to HIBP. If any of them comes back positive, ThePhish flags the message as malicious. The problem, of course, is if the recipient's email is in this database, the message gets flagged as malicious!

What is the correct way to get some finer grain control over what gets sent to HIBP to make it work say on other addresses in the mail than the envelope recipient or to header?

Currently ThePhish closes the message as malicious if any one of the results comes back malicious. It seems like we need some finer control like if-this-and-that sort of control. I don't know if that belongs in ThePhish or what.
question

opened by mgrant0 2
[Question]

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | Python version | 3.8| | ThePhish version | Latest | | TheHive version | 4.1.9-1 | | Cortex version | 3.1.1-1 |

Question

Hello, I had other issue after phase notification mail sent, appear a error about [run_analysis] with something Cortex Job Id

[INFO][run_analysis]: Notification mail sent [ERROR][run_analysis]: Error during the analysis task: Traceback (most recent call last): File "/opt/ThePhish/app/run_analysis.py", line 576, in main observables_info, reports_observables = analyze_observables(case, task_ids['Analysis'], wsl) File "/opt/ThePhish/app/run_analysis.py", line 240, in analyze_observables job['job_id'] = analyzer_job.json()['cortexJobId'] KeyError: 'cortexJobId'

Have some idea about this?
question

opened by janjaom 2
I receive attachment .eml but happen error after click list emails

Question

After click on button "list emails" appear ERROR, this message attachment is type .eml

python3 thephish_app.py [INFO][list_emails]: Connected to [email protected]@imap.gmail.com:993/inbox [INFO][list_emails]: 1 unread messages to process [INFO][list_emails]: Message from: b'aleatory_spam@local' with subject: Phishing 3 **[ERROR][list_emails]: Error while trying to retrieve the emails: Traceback (most recent call last): File "/opt/ThePhish/app/list_emails.py", line 250, in main emails_info = retrieve_emails(connection) File "/opt/ThePhish/app/list_emails.py", line 112, in retrieve_emails decode = email.header.decode_header(internal_msg['Subject']) File "/usr/lib/python3.7/email/header.py", line 80, in decode_header if not ecre.search(header): TypeError: expected string or bytes-like object**

Any help with this?
question

opened by janjaom 2
[Question]

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | Type of email address used | Exchange 2019 (Mail Corporate)| | Mail client type & version | Outlook |

Question

Have some other options besides imap? I'd like using my company but we have exchange 2019 (account corporate).

"imap" : { "host" : "imap.gmail.com", "port" : "993", "user" : "", "password" : "", "folder" : "inbox" },
question

opened by janjaom 2
[ERROR]: Error while trying to notify the start of analysis

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | OS version (server) | centos-release-7-9.2009.1.el7.centos.x86_64 | | OS version (client) | - | | Python version | Python 2.7.5 | | Type of email address used | Gmail | | Mail client type & version | Gmail | | Browser type & version | Firefox, Chrome | | Virtualized Env. | True / | | Dedicated RAM | 6 GB | | vCPU | 8 | | ThePhish version | ThePhish 1 | | TheHive version | 5 | | Cortex version | 3.1.7-1 | | MISP version | MISP - 2.4.162 | | Installed using Docker and Docker Compose | False | | Docker Version | - | | Docker Compose version | -|

I ask you to help with solving the problem, during the launch of the analysis of the message, after creating the case in thehive, the error indicated in the screenshot appears. When manually running the responder mailer from thehive, the email is sent to the addressee successfully
question

opened by art3113 1
[Question] Handling URL rewrite

My environment passes all email through Cisco Secure Email Security, which will rewrite URLs with a neutral or unknown reputation to redirect them to the Cisco Web Security Proxy for click-time evaluation of their safety.

For those emails which slip through and are reported as suspicious/malicious, I would like to use ThePhish as my analysis and logging platform.

Does ThePhish have a capability to decode these URL rewrites so that the true URL is analyzed ?
question

opened by dreadfulangry 1

Startup script and systemd service [Ubuntu]

Hello, thank you for this project!

I would like to add startup script and Systemd service:

ThePhish_service.sh

#!/bin/bash
#
#

case "$1" in
  start)
    cd /opt/ThePhish/app/ && /opt/ThePhish/app/venv/bin/python3 thephish_app.py
    ps aux | grep thephish_app.py | grep -v grep | awk -F' ' '{print $2}'
    echo "[  OK  ] ThePhish was successfuly started as PID $PID."
    ;;
  stop)
    PID=$(ps aux | grep thephish_app.py | grep -v grep | awk -F' ' '{print $2}')
    kill -9 $PID
    echo "[  OK  ] ThePhish was successfully stopped."
    ;;
  restart)
    stop
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}" >&2
    exit 1
    ;;
esac

Create file /lib/systemd/system/thephish.service

[Unit]
Description=ThePhish
Documentation= https://github.com/emalderson/ThePhish#install-it-using-docker-and-docker-compose
Wants=network-online.target davmail.service
After=network.target network-online.target davmail.service

[Service]
Type=simple
RemainAfterExit=yes
User=root
Group=root
TimeoutStartSec=0
Restart=on-failure
RestartSec=30s
#ExecStartPre=
ExecStart=/opt/ThePhish/ThePhish_service.sh start
ExecStop=/opt/ThePhish/ThePhish_service.sh stop


[Install]
WantedBy=multi-user.target

opened by majo053 1

ThePhish for Docker on Windows + Docker-Compose Updates
Changes proposed in this pull request

Added support to Windows Environment

Added a environment that contains the latest versions of Cortex, TheHive and MISP.

Changed the configuration around to make it work with TheHive5.

Changed the configuration in the Docker-Compose to make Cortex work

Changed configuration around to update Cassandra to version 4, elasticsearch to the latest version 7, MySQL to latest version 8 and redis to latest version 6.

The whole procedure has been tested by executing the instructions carefully that are described in the Docker folder.

I recommend a manual review as well.

~LvdW
opened by asterictnl-lvdw 2
[Question]

Work environment

| Question | Answer | | -------------------------- | ------------------------------------- | | OS version (server) | Debian | | OS version (client) | Debian | | Python version | | | Type of email address used | outlook| | Mail client type & version | outlook| | Browser type & version | Firefox | | Virtualized Env. | True | | Dedicated RAM | 16 GB | | vCPU | 8 | | ThePhish version | | | TheHive version | | | Cortex version | | | MISP version | | | Installed using Docker and Docker Compose | True / False | | Docker Version | If applicable | | Docker Compose version | If applicable |

Question Error in cases [ERROR]_[run_analysis]: Error while trying to notify the start of analysis: Traceback (most recent call last): thephish | File "/usr/local/lib/python3.8/dist-packages/cortex4py/api.py", line 106, in do_post thephish | response.raise_for_status() thephish | File "/usr/local/lib/python3.8/dist-packages/requests/models.py", line 953, in raise_for_status thephish | raise HTTPError(http_error_msg, response=self) thephish | requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: http://cortex:9001/api/responder/_search?range=0-1 thephish | thephish | The above exception was the direct cause of the following exception: thephish | thephish | Traceback (most recent call last): thephish | File "/root/thephish/run_analysis.py", line 568, in main thephish | notify_start_of_analysis(case, task_ids['Notification'], mail_to, wsl) thephish | File "/root/thephish/run_analysis.py", line 55, in notify_start_of_analysis thephish | mailer_responder = api_cortex.responders.get_by_name('Mailer_1_0') thephish | File "/usr/local/lib/python3.8/dist-packages/cortex4py/controllers/responders.py", line 22, in get_by_name thephish | return self._wrap(self._find_one_by(Eq('name', name)), Responder) thephish | File "/usr/local/lib/python3.8/dist-packages/cortex4py/controllers/abstract.py", line 29, in _find_one_by thephish | collection = self._api.do_post(url, {'query': query or {}}, params).json() thephish | File "/usr/local/lib/python3.8/dist-packages/cortex4py/api.py", line 109, in do_post thephish | self.__recover(ex) thephish | File "/usr/local/lib/python3.8/dist-packages/cortex4py/api.py", line 46, in __recover thephish | raise AuthenticationError("Authentication error") from exception thephish | cortex4py.exceptions.AuthenticationError: Authentication error thephish | cassandra | INFO [Service Thread] 2022-08-02 15:15:47,309 GCInspector.java:285 - ConcurrentMarkSweep GC in 430ms. CMS Old Gen: 49304 -> 65512; Par Eden Space: 858980352 -> 51411816; Par Survivor Space: 43551056 -> 0 thehive | [info] o.t.t.s.IntegrityCheckActor [|] End of CaseTemplate global check: Map(orphans -> 0, duration -> 24)
question

opened by zax400 1