Threat Detection: BigPhish Phishing Intelligence

Overview#

BigPhish is a phishing detection system that applies DGA (Domain Generation Algorithm) analysis and behavioural models to classify domains as phishing infrastructure. Unlike generic DGA analysis, BigPhish focuses specifically on phishing campaign detection -- identifying algorithmically-generated lookalike domains, typosquatting patterns, and mass-registered phishing domain families targeting brands, government services, and financial institutions. Argus integrates BigPhish to automate the classification of suspect domains encountered in emails, network traffic, or threat intelligence feeds.

Key Features#

Campaign-Based Phishing Management#

BigPhish organises detected phishing domains into campaigns -- clusters of related domains that share a generation pattern or target the same brand. Each campaign has status (

active

inactive

investigating

) and an associated domain list. The Argus integration persists campaigns and their domains separately, supporting campaign-level workflow actions like "block all domains in this campaign" or "report this campaign to the brand owner."

Domain Analysis#

Submit any domain to

analyzePhishingDomain

and receive a BigPhish phishing classification with confidence score, detected campaign association if any, and identified targeting pattern (brand impersonation, government service lookalike, banking sector phishing, etc.).

Campaign and Domain Inventory#

Query active campaigns via

bigPhishCampaigns

and the domain list for any campaign via

bigPhishDomains

. Filter campaigns by status to focus on active threats requiring immediate action. The stats query returns counts by campaign status and targeting category.

Clearance-Filtered Phishing Records#

Phishing campaign records carry

secrecy_level

tags to support classified targeting scenarios -- for example, classified-network-targeted spear phishing investigations where campaign metadata is restricted.

Use Cases#

Email Gateway Enrichment: Before delivering a message containing a URL, query BigPhish to classify the domain. Confirmed phishing domains trigger quarantine without requiring analyst triage.
Brand Protection Monitoring: Continuously submit newly registered domains matching an organisation's name patterns to BigPhish to detect phishing campaigns targeting employees or customers before abuse begins.
Threat Intelligence Publishing: Export confirmed BigPhish campaign domains as MISP events or STIX indicators to share phishing infrastructure intelligence with partner organisations and sector ISACs.
Incident Response Context: When an employee reports a phishing attempt, cross-reference the reported URL against BigPhish campaign records to determine campaign scope and identify other potential targets in the organisation.

Integration#

Available via GraphQL:

bigPhishCampaigns

bigPhishDomains

bigPhishStats

(queries);

analyzePhishingDomain

syncBigPhish

(mutations). All operations require authentication and organisation scoping.

Works alongside DGA Detective (complementary domain classification), MISP (phishing IOC sharing), SpiderFoot (phishing domain infrastructure mapping), and the Email Intelligence domain (inline URL analysis).

Last Reviewed: 2026-03-18

Modulmetadaten

Gerenderte Dokumentation