Validate detection of active phishing campaigns using the OpenPhish real-time threat feed
The known_phish() function tests your network’s ability to detect and block access to active phishing websites. It uses the OpenPhish community feed, which contains URLs of verified phishing sites updated in real-time.
This module uses the OpenPhish community threat feed:
OpenPhish Feed - https://openphish.com/feed.txt
OpenPhish provides a continuously updated list of verified phishing URLs. The feed contains hundreds to thousands of active phishing sites targeting various brands and services.
Downloads the latest phishing URL list from OpenPhish.
urls = 'https://openphish.com/feed.txt'response = requests.get(urls)if response.status_code == 200: file_name = urls.split("/")[-1] with open(file_name, "w") as f: f.write(response.text)
2
Random URL Selection
Randomly selects 15 URLs from the feed and validates them using URL pattern matching.
for file in saved_files: with open(file, 'r') as f: lines = f.readlines() for _ in range(15): randomURL = random.choice(lines) if check_url(randomURL): sampleURL.append(randomURL)
3
HTTP Connection Testing
Attempts HTTP GET requests to each phishing URL with a 5-second timeout.
for url in sampleURL: try: response = requests.get(url, timeout=5) if response.status_code == 200: # Log successful connection except Exception as e: continue
4
Results Logging
Logs all connection attempts with timestamps to URL_Results.txt, indicating success or failure.
5
Cleanup
Removes the temporary downloaded feed file after testing completes.
Results are saved to URL_Results.txt with the following format:
Timestamp:14:25:12 URL:http://phishing-example.com/fake-login test SUCCESSFULTimestamp:14:25:18 URL:http://malicious-site.xyz/credential-harvest test FAILEDTimestamp:14:25:23 URL:https://spoofed-brand.com/verify test SUCCESSFUL
def known_phish(): urls = 'https://openphish.com/feed.txt' saved_files = [] print("Downloading Samples") response = requests.get(urls) if response.status_code == 200: file_name = urls.split("/")[-1] with open(file_name, "w") as f: f.write(response.text) saved_files.append(file_name) sampleURL = [] for file in saved_files: with open(file, 'r') as f: lines = f.readlines() for _ in range(15): randomURL = random.choice(lines) if check_url(randomURL): sampleURL.append(randomURL) sampleURL = [x.strip() for x in sampleURL] myFile = open("URL_Results.txt", mode="a+") for url in tqdm(sampleURL, desc="Testing 15 samples from OpenPhish results saved to URL_Results.txt"): try: response = requests.get(url, timeout=5) if response.status_code == 200: current_time = time.strftime("%X") resultUP = ( f"Timestamp:{str(current_time)} URL:{str(url)}" + " test SUCCESSFUL\n" ) myFile.write(resultUP) else: current_time = time.strftime("%X") resultDOWN = f"Timestamp:{str(current_time)} URL:{str(url)}" + " test FAILED\n" myFile.write(resultDOWN) except Exception as e: continue for file_name in saved_files: os.remove(file_name)
Your web proxy or content filter should block access to these phishing URLs before connections complete.
DNS Security
DNS security services should prevent resolution of known phishing domains.
URL Reputation
Security gateways should flag these URLs based on reputation scores and threat intelligence.
User Alerts
Endpoint security solutions should warn users if they attempt to access these sites.
SUCCESSFUL connections to phishing URLs indicate a security gap. These are verified active phishing sites - your web security controls should block them.
# Run Somnium and select option 2python main.py# Choose: #2 Test connection with known Phishing URLs# Review resultscat URL_Results.txt# Check your security logs# - Web proxy logs# - DNS query logs# - Firewall application control logs
The test attempts to connect to 15 random phishing URLs from the live feed. Some URLs may be offline or taken down, which is expected behavior and will show as FAILED.