Implementing Phish scoring

Curious how I can determine the confidence of the intel gathered around an event. Like how to implement Phish scoring, how much criteria is needed when deciding if it is an actual incident and what the severity of that incident may be…

1 Like

I would recommend encapsulating all the fields into a Python script (rather than trying to rig up a small suite of calculated fields). You could create a script that performs several dozen regex operations on email data to determine whether or not a given message scores high enough to warrant further investigation.


This was passed on to me. Figured I’d return the favor


Thanks @Java and @john.grigg!!!

Hi @Oscar,

in we don’t tackle directly the problem of Phish scoring. We are more focused on how trustable is an IP, domain or Email address (or all of them altogether) because we are targeting companies that need to know what kind of user would be somebody using email X from provider Y connecting from network Z.

Our algorithms (implemented in Python, but this is just for the sake of curiosity) fill a ‘scoring card’. This scoring card has all the individual scores for each test made. Then we sum all individual scores to obtain a global score. Right now our customers cannot modify this scoring card to assign ‘weights’ to each individual score, but we will do it in the next releases.

You can read the details of each test in this blog post about Email Verification and Validation we wrote recently.

Hence, a naive approach would be the higher the score, the more critical the event. But we have learned that each customer has different levels of “criticity”. IMHO the level of “criticity” is something the customer should customize based on her needs and experience.

1 Like

Thanks!!! This is very helpful!

1 Like