Integration guide

MISP and STIX phishing sharing

PhishNet exports are designed to carry context, not just indicators: provenance, confirmation state, liveness, evidence URL, country relevance and graph links.

Request demoRead researchOpen dashboard

Direct answer

Does PhishNet support MISP? Yes. MISP-compatible export paths and feed documentation are part of the platform plan and public integration guidance.

Research framing

MISP/STIX consumers need stable schemas, confidence and source provenance.

Attack mechanism

PhishNet separates confirmed, suspicious, review and context-only states so sharing communities do not receive flattened noisy labels.

Evidence and source model

Public documentation shows field names, redaction model and sample ingestion concepts; operational feed access requires authorization.

Belgian and European relevance

Belgian and country-pack exports can be filtered by brand, sector, liveness, source tier, campaign and evidence readiness.

How PhishNet operationalizes this

Use this guide to request feed access or align an existing MISP/OpenCTI workflow with PhishNet exports.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Public examples are sanitized and do not expose live harmful IOCs.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge urlscan.io API documentation Microsoft Ad Library API Common Crawl CDX Index

Common questions

Does PhishNet support MISP?

Yes. MISP-compatible export paths and feed documentation are part of the platform plan and public integration guidance.

Are public examples operational?

No. Public integration examples are sanitized.

Related reading

Solutions

Phishing OSINT for CERT and CSIRT teams

Country-level phishing, smishing, active OSINT, kit intelligence, evidence and export workflows for national and sector response teams.
Data

Source quality and evidence readiness

A public-safe view of how source contribution, corroboration and evidence completeness affect phishing response.