Integration guide

How to ingest PhishNet into MISP

MISP ingestion should preserve context: confidence, confirmation state, source tier, liveness, evidence links, graph context and redaction status.

Request demoRead researchOpen dashboard

Direct answer

What should a MISP phishing event include? Indicator, source, confidence, confirmation state, timestamp, evidence, liveness and relationship context.

Research framing

A phishing feed is only useful in MISP when downstream teams can judge confidence and act without guessing how a row was produced.

Attack mechanism

PhishNet events should map domains, URLs, IPs, phones, IBANs, kits, campaigns, brands and evidence as related objects rather than a flat list.

Evidence and source model

Evidence includes source provenance, capture time, screenshot or archive status, liveness state, Belgian relevance and graph links.

Belgian and European relevance

Belgian sharing communities benefit from preserving local brands, language cues, FSMA/Safeonweb overlap, BIPT context and cross-border Benelux reuse.

How PhishNet operationalizes this

PhishNet exports daily deltas, verified-live URLs, fake platforms, smishing routes, mule routes and campaign clusters with explicit state fields.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Public examples remain redacted; authenticated feeds carry operational IOCs according to role and policy.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge

Common questions

What should a MISP phishing event include?

Indicator, source, confidence, confirmation state, timestamp, evidence, liveness and relationship context.

Are review candidates exportable?

Yes, but they remain labeled as review candidates rather than confirmed threats.

Related reading

Solutions

MISP and STIX phishing feed for public-sector teams

MISP/STIX-compatible phishing intelligence with provenance, confidence, liveness and evidence references.
Platform

Data API and exports

Feed confirmed and reviewable phishing intelligence into existing tooling.
Knowledge

Phishing evidence and takedown

How evidence, provenance and human approval turn intelligence into safe action.