{"id":"threat-detection-bigphish-phishing","slug":"threat-detection-bigphish-phishing","title":"Threat Detection: BigPhish Phishing Intelligence","description":"A financial services firm's threat team noticed a spike in password-reset requests traced back to a domain registered forty-eight hours earlier: `secure-login-natwest-uk[.]com`. The domain had already been distributed to","category":"intelligence","tags":["intelligence","real-time","geospatial"],"lastModified":"2026-03-18","source_ref":"content/modules/threat-detection-bigphish-phishing.md","url":"/developers/threat-detection-bigphish-phishing","htmlPath":"/developers/threat-detection-bigphish-phishing","jsonPath":"/api/docs/modules/threat-detection-bigphish-phishing","markdownPath":"/api/docs/modules/threat-detection-bigphish-phishing?format=markdown","checksum":"015447dbb490452becb733dd32fd1b89180afa343cbaeb702dd58adabcc0a498","headings":[{"id":"overview","text":"Overview","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"campaign-based-phishing-management","text":"Campaign-Based Phishing Management","level":3},{"id":"domain-analysis","text":"Domain Analysis","level":3},{"id":"campaign-and-domain-inventory","text":"Campaign and Domain Inventory","level":3},{"id":"clearance-filtered-phishing-records","text":"Clearance-Filtered Phishing Records","level":3},{"id":"use-cases","text":"Use Cases","level":2},{"id":"integration","text":"Integration","level":2}],"markdown":"# Threat Detection: BigPhish Phishing Intelligence\n\n## Overview\n\nA financial services firm's threat team noticed a spike in password-reset requests traced back to a domain registered forty-eight hours earlier: `secure-login-natwest-uk[.]com`. The domain had already been distributed to 6,000 employees via a spoofed HR email. By the time the first ticket arrived, BigPhish had already flagged the domain as part of a known banking-sector phishing campaign and fed the indicator directly into the email gateway blocklist. The attack was contained before a single credential was harvested.\n\nBigPhish applies Domain Generation Algorithm analysis and behavioural models to classify domains as phishing infrastructure. Unlike generic DGA analysis, it focuses specifically on phishing campaign detection: identifying algorithmically generated lookalike domains, typosquatting patterns, and mass-registered phishing domain families that target brands, government services, and financial institutions. Argus integrates BigPhish to automate the classification of suspect domains encountered in emails, network traffic, or threat intelligence feeds, removing the manual triaging bottleneck that delays response in high-volume phishing environments.\n\n```mermaid\nflowchart LR\n    A[Email Gateways] --> E[BigPhish Engine]\n    B[DNS Query Logs] --> E\n    C[Threat Intel Feeds] --> E\n    D[Newly Registered Domains] --> E\n    E --> F[Campaign Clustering]\n    E --> G[Brand Targeting Analysis]\n    E --> H[Confidence Scoring]\n    F --> I[Campaign Workflow Actions]\n    G --> J[Brand Protection Alerts]\n    H --> K[MISP / STIX Export]\n```\n\n## Key Features\n\n### Campaign-Based Phishing Management\n\nBigPhish organises detected phishing domains into campaigns: clusters of related domains that share a generation pattern or target the same brand. Each campaign carries a status (`active`, `inactive`, `investigating`) and an associated domain list. The Argus integration persists campaigns and their domains separately, supporting campaign-level workflow actions such as blocking all domains in a campaign or reporting it to the brand owner. This campaign model is essential for security operations centres handling high-volume phishing waves where individual-domain triaging is not scalable.\n\n### Domain Analysis\n\nSubmit any domain to `analyzeBigphishDomain` and receive a phishing classification with a confidence score, detected campaign association, and identified targeting pattern (brand impersonation, government service lookalike, banking sector phishing, and others). The classification is available synchronously, enabling inline enrichment at mail delivery time.\n\n### Campaign and Domain Inventory\n\nQuery active campaigns via `bigphishCampaigns` and the domain list for any campaign via `bigphishDomains`. Filter campaigns by status to focus on active threats requiring immediate action. The stats query returns counts by campaign status and targeting category, giving team leads a real-time view of the active phishing landscape.\n\n### Clearance-Filtered Phishing Records\n\nPhishing campaign records carry `secrecy_level` tags to support classified targeting scenarios, for example, classified-network-targeted spear phishing investigations where campaign metadata is restricted to cleared personnel only.\n\n## Use Cases\n\n- **Email Gateway Enrichment**: Before delivering a message containing a URL, query BigPhish to classify the domain. Confirmed phishing domains trigger quarantine without requiring analyst triage, reducing mean time to block significantly for high-volume campaigns.\n- **Brand Protection Monitoring**: Continuously submit newly registered domains matching an organisation's name patterns to BigPhish to detect phishing campaigns targeting employees or customers before abuse begins. Early detection gives the brand team time to issue takedown notices while the campaign is still warming up.\n- **Threat Intelligence Publishing**: Export confirmed BigPhish campaign domains as MISP events or STIX indicators to share phishing infrastructure intelligence with partner organisations and sector ISACs, contributing to collective defence against shared adversaries.\n- **Incident Response Context**: When an employee reports a phishing attempt, cross-reference the reported URL against BigPhish campaign records to determine campaign scope and identify other potential targets in the organisation, supporting rapid scoping of the incident.\n\n## Integration\n\nAvailable via GraphQL: `bigphishCampaigns`, `bigphishDomains`, `bigphishStats` (queries); `analyzeBigphishDomain` (mutation). All operations require authentication and organisation scoping.\n\nWorks alongside DGA Detective (complementary domain classification), MISP (phishing IOC sharing), SpiderFoot (phishing domain infrastructure mapping), and the Email Intelligence domain (inline URL analysis).\n\n**Last Reviewed:** 2026-03-18\n**Last Updated:** 2026-04-14\n"}