Customer facing companies are often targetted by phishing campaigns using similar domains/pages. Using a very simplistic aproach we can detect malicious phishing campaigns being planned at the moment they're being created.

What it does

  • Monitor certificate issuers and download any public and newly issued certificates
  • Initial matching of domains (using the certificate's common_name) with custom regular expressions to find similar company names
  • Create a screenshot of the potential phishing domain using a custom Google Cloud function with Puppeteer (also present in Git repo)
  • Detect any logos on the screenshot using the CloudVision API (and provide the related company)
  • Increase the severity if the logo detection matches with your own company name

What it contains

  • A custom integration to interact with Transparency log providers
  • Script to decode Base64 and save output as a file
  • Custom IncidentTypes definition
  • Set of playbooks to:
    • Monitor transparency logs and create a new incident as custom type BrandAbuse (this playbook should be run as a periodic job in XSOAR)
    • Automatically enrich custom type BrandAbuse to create a screenshot using a custom GCloud function and detect the logos using GCloud Vision API
  • Several unit tests
  • Custom code for a Google Cloud function to create screenshots with Puppeteer (
  • Custom demisto docker image containing the Python libraries to decode the certificates (

How I built it

Using the demistosdk and a lot of Python Code, custom containers and Google Cloud Functions

Challenges I ran into

First time developing custom integrations and using the SDK so it took a lot of effort to getting everything set up. The public cloud instance wasn't performing that well so I used a local development deployment instead.

What I learned

Getting to know XSOAR's inside out :)

What's next for Detecting brand abuse using CT logs and logo detection

Finetuning and deduplication, adding more enrichment.

Built With

Share this project: