Platform capability

PhishNet knowledge graph

The graph is the centre: indicators, sources, evidence, brands, kits, campaigns and fraud routes connected for action.

Request demoRead researchOpen dashboard

Direct answer

Why use a graph? It exposes reuse and relationships that flat IOC tables hide.

Research framing

A graph model is necessary because phishing is relational. Flat rows hide the fact that several domains can share a certificate, favicon, kit, payment route, sender, source family or campaign timing.

Attack mechanism

Relationships include redirects, resolves-to, shared certificate, same favicon, same DOM or JS hash, same kit, same sender, same mule route, same operator handle, same campaign, targets brand, seen in source and has evidence.

Evidence and source model

Evidence quality travels with the graph: every entity should explain source, freshness, liveness, confirmation state, evidence readiness and export availability.

Belgian and European relevance

Belgian intelligence benefits because the graph connects local brands and official baselines with global infrastructure, non-local TLDs, cross-border campaigns and active OSINT.

How PhishNet operationalizes this

PhishNet uses the graph to power Belgian Live Feed, Campaign DNA, Kit Weakness Intelligence, Operator Discovery, CERT handoff and exports.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Graph edges can be inferred rather than confirmed. The UI must label inferred operational clusters clearly and avoid legal attribution without analyst confirmation.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge urlscan.io API documentation Microsoft Ad Library API Common Crawl CDX Index

Common questions

Why use a graph?

It exposes reuse and relationships that flat IOC tables hide.

Is operator discovery attribution?

No. It is inferred operational clustering unless analyst-confirmed.

Related reading

Knowledge

The phishing knowledge graph

Why phishing intelligence becomes more powerful when indicators are connected into a graph.
Knowledge

Phishing attack kits

How phishing kits work, what they leak, and why kit intelligence is a high-value OSINT layer.
Knowledge

Campaign DNA and attacker infrastructure

How infrastructure reuse, timing, language, kits, certificates and mule routes reveal campaign structure.