Phishing

TheHive eases phishing incident response with automatic email ingestion, extracting key observables like sender details and links.

A predefined phishing case template guides the investigation, ensuring all critical steps are followed. Analyzers assess the email’s maliciousness, providing instant insights. Responders take swift action, such as blocking the sender or removing emails from inboxes. All actions are logged, and the case is classified for future analysis.

An employee at a large financial firm reports a suspicious email that appears to be a phishing attempt. The email is forwarded to the security team, triggering the incident response process.

1. Mail Intake: The phishing alert is automatically ingested into TheHive through direct email integration. The platform immediately identifies key observables—such as sender address, subject line and any links or attachments—allowing the security team to quickly assess the potential threat.
2. Case Template: A predefined phishing case template is activated, guiding the analysts through a systematic investigation. The template ensures that every critical step is covered, from initial analysis to final resolution. Each task is tracked in real-time, ensuring that the incident is handled efficiently and with full traceability.
3. Knowledge Base: As the team works on the case, they reference the knowledge base directly from the case’s interface. This repository contains essential information, such as previous phishing incidents, known IOCs and best practices, helping analysts make informed decisions quickly.
4. Analyzers: The email is processed using the emlParser analyzer, which extracts all relevant observables, such as URLs, attachments and sender details. The platform then runs these through various analyzers to determine their maliciousness, providing the team with immediate insights into the threat level.
5. Responders: Once the threat is confirmed, the security team activates responders to take immediate action. This could include blocking the sender’s email address, removing the email from all inboxes across the organization and updating firewall rules to prevent similar phishing attempts.
   Additionally, they monitor for any signs of malware that might have slipped through. These actions are executed directly from TheHive, minimizing the response time.
6. Case Classification: After all steps are completed, the case is classified based on the findings—true positive if it was indeed a phishing attempt, false positive if it was harmless, or another custom status relevant to the organization’s incident response protocol. This classification is logged, contributing to future incident analysis and reporting.

The phishing attempt is swiftly neutralized, with all actions logged for future review.