Phishing automation: automating url analysis with and

Phishing automation: automating url analysis with and

Start for free with this workflow

Enter your details here, and we’ll set you up a Tines community-edition tenant, with this workflow preinstalled on it:
✅ Submitted! We’ll email you when your tenant is ready.
Oops! Something went wrong while submitting the form.

A partner blog between and

[End of life notice: please note, is no longer available.]

According to the latest Verizon Data Breach report Phishing is involved in 93% of breaches and email continues to be the most common vector (96%) in successful cyber attacks [0]. These figures indicate that malicious email detection software and employee security awareness training are no longer sufficient on their own to deal with the volume of attacks, even at a small scale. In addition, the process to review suspicious emails and examine suspicious URLs is both time consuming and error prone. Furthermore is one of the most frequent causes of alert overload and analyst fatigue. Phishing Automation using SOAR platforms like Tines and Phishing analysis tools like helps companies tackle these problems.

In a world where detecting and responding to incidents quickly is a key metric for any security program, automating the collection and analysis of suspicious URLs can reduce mistakes and improve response times. Above all, it will make your analysts more efficient, effective and happier.

What steps should I take to automate the analysis of suspicious URLs?

The first step in building out automation is to identify sources for collecting suspicious URLs for your environment. Common sources of malicious URLs include:

  • Customer Abuse boxes (You can read more about using Tines to manage your Abuse Inbox here)
  • URLs blocked by your email security solution like Proofpoint, FireEye ETP, Barracuda, Mimecast or Microsoft APT.
  • DMARC failures or rejects
  • Suspicious uncategorized or punycode URLs from your firewall logs or DNS logs
  • New SSL Certificates registered with domains similar to your brand (e.g. from
  • Threat Intel sources like the threat intel feed which generates feeds based on the brands attacked
  • Free feeds of malicious urls like Phishtank, Openphish, or Urlhaus. Note, these feeds are often are high-reputation so don’t necessarily need to be further analyzed.

Using Tines’ Phishing Story it’s easy to collect suspicious urls from over a dozen of different sources automatically. Once these feeds are in Tines it’s easy to deduplicate and classify urls to prevent alert overload and to generate more accurate metrics.

Once Tines has deduplicated the URL feed, it’s time to perform a real-time URL analysis using a tool like is a premium service which proactively indexes websites of top brands around the world to create an up-to-date computer vision database.’s real-time web crawler will index all URLs submitted and compare the site image against the known bad database. (Note, to submit privately you’ll need to sign up for a basic plan. Basic plans allows scanning of up to 10,000 URLs each month).

Integrating with Tines in your phishing automation process

With Tines it’s simple to make a single API call to submit these URLs for analysis using’s API. The configuration to make these calls in Tines is below, using a “HTTP Post Request action”. In this example, {{.explode_urls-array.url}} represents the url to be sent for analysis. Moreover this can be done in a totally secure manner. The parameter {% credential phish_ai %} is the API key which is encrypted and sent along with the request.

A HTTP Request Agent configuration to submit urls to

This request returns a unique “scan_id” parameter:

The event response information from a scan

In the next step, Tines sends this parameter to to retrieve the results of the analysis. Similar to the request above, a HTTP Request action is used.

Another HTTP Request Agent configuration to retreive the results of scan

This call returns the results of the analysis by

The results returned by

In the background, has compared the image of the crawled page against its collection of known bad images. Subsequently, has correctly detected that this particular site submitted through Tines is a phishing website. In the event emitted above, not only has has successfully identified the site as malicious, it has also identified the target as “National Bank”. Importantly, this information can also be used to help analysts decide on the priority of an incident. For example, this information can help analysts identify more targeted attacks or phishing using brands used by employees.

Analysts can also use the dashboard to view more information about the detection or a screenshot of the phishing page.

The Dashboard UI

What’s Next?

Once your phishing automation process has completed analysis of the phishing URL it’s possible to automate dozens of other interactions in For instance, traditional next steps include scanning for any traffic to the identified malicious in firewall logs and endpoint logs etc.; blocking the domain; removing the particular email from inboxes; performing a header analysis etc. Other companies also use Tines to respond to reporters confirming a site is malicious. Another popular use case is to use’s threat feeds in combination with other public and private feeds to detect brand abuse and send takedown notices to hosts requesting they remove the infringing content.

An excerpt from the Tines Phishing Automation Story

In conclusion, Phishing Automation using a security automation platform like Tines in combination with a real-time phishing analysis platform like, can help your security team scale and keep your analysts focused on more impactful efforts, leaving them happier.

You can read more about this step in the process in part three of our “automating your abuse inbox” blog series.

*Please note we recently updated our terminology. Our "agents" are now known as "actions," but some visuals might not reflect this.*

To date has scanned over 21 million URLs and identified over 85,000 zero day phishing attacks.  You can read more about the api here. is an Security Orchestration, Automation and Response (SOAR) platform used by Fortune 10 companies, global banks and large public and private SaaS companies.

[0] Verizon Data Breach Investigations Report 2018

Do less. A lot more.

Subscribe to our newsletter and get world class automation ideas straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.