Phishing automation: Automating URL analysis with Phish.AI and Tines

Written by Thomas KinsellaCo-founder & CCO, Tines

Published on June 14, 2021

This article was posted more than 18 months ago.

A partner blog between Phish.ai and Tines.com 

[End of life notice: please note, Phish.ai is no longer available.]

According to the latest Verizon Data Breach report Phishing is involved in 93% of breaches and email continues to be the most common vector (96%) in successful cyberattacks [0]. These figures indicate that malicious email detection software and employee security awareness training are no longer sufficient on their own to deal with the volume of attacks, even on a small scale. In addition, the process to review suspicious emails and examine suspicious URLs is both time-consuming and error-prone. Furthermore is one of the most frequent causes of alert overload and analyst fatigue. Phishing Automation using SOAR platforms like Tines and Phishing analysis tools like phish.ai helps companies tackle these problems.

In a world where detecting and responding to incidents quickly is a key metric for any security program, automating the collection and analysis of suspicious URLs can reduce mistakes and improve response times. Above all, it will make your analysts more efficient, effective, and happier.

What steps should I take to automate the analysis of suspicious URLs? 

The first step in building out automation is to identify sources for collecting suspicious URLs for your environment. Common sources of malicious URLs include:

  • Customer Abuse boxes (You can read more about using Tines to manage your Abuse Inbox here)

  • URLs blocked by your email security solution like Proofpoint, FireEye ETP, Barracuda, Mimecast, or Microsoft APT.

  • DMARC failures or rejects

  • Suspicious uncategorized or punycode URLs from your firewall logs or DNS logs

  • New SSL Certificates registered with domains similar to your brand (e.g. from crt.sh)

  • Threat Intel sources like the Phish.ai threat intel feed which generates feeds based on the brands attacked

  • Free feeds of malicious URLs like Phishtank, Openphish, phishstats.info or Urlhaus. Note, these feeds are often are high-reputation so don’t necessarily need to be further analyzed.

Using Tines’ Phishing Story it’s easy to collect suspicious URLs from over a dozen of different sources automatically. Once these feeds are in Tines it’s easy to deduplicate and classify URLs to prevent alert overload and to generate more accurate metrics.

Once Tines has deduplicated the URL feed, it’s time to perform a real-time URL analysis using a tool like phish.ai.

Phish.ai is a premium service that proactively indexes websites of top brands around the world to create an up-to-date computer vision database. Phish.ai’s real-time web crawler will index all URLs submitted and compare the site image against the known bad database. (Note, to submit privately you’ll need to sign up for a basic plan. Basic plans allow scanning of up to 10,000 URLs each month).

Integrating Phish.ai with Tines in your phishing automation process