Skip to main content


This Script is part of the Phishing URL Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Predict phishing URLs using a pre-trained model.

Security Recommendations#

This script uses the Rasterize integration. If this script is used to rasterize untrusted URLs, we strongly recommend following the security recommendations included at the Rasterize Documentation.

Script Data#

Script Typepython3
Cortex XSOAR Version6.0.0

Used In#

This script is used in the following playbooks and scripts.

Phishing - Machine Learning Analysis


Argument NameDescription
urlsSpace-separated list of URLs.
emailBodyBody of the email for URL extraction.
emailHTMLHTML of the email for URL extraction.
maxNumberOfURLMaximum number of extracted URLs on which to run the model.
forceModelWhether to force the model to run if the URL belongs to the whitelist. If True, the model will run in every case. If False, the model will run only if the URL does not belong to the whitelist.
resetModelWhether to reset the model to the model existing in Docker.
debugWhether to enter debug mode.
reliabilityReliability of the source providing the intelligence data.


DBotPredictURLPhishing.URLURL on which the model ran.String
DBotPredictURLPhishing.FinalVerdictFinal verdict of the URL.String
DBotPredictURLPhishing.UseOfSuspiciousLogoWhether a logo (from our list of top most use company for phishing) has been fraudulently used. Our predefined list of logos is: Paypal, Instagram, Gmail, Outlook, Linkedin, Facebook, Ebay, amazon, Google, Microsoft.String
DBotPredictURLPhishing.HasLoginFormWhether there is a login form in the HTML. Usually phishing attacks aim to steal credentials from the victim and attackers using login forms to retrieve this information.String
DBotPredictURLPhishing.URLStaticScoreProbability for the URL to be malicious based only on the URL syntax.Number
DBotPredictURLPhishing.BadSEOQualityWhether the domain has a good search engine optimization. Malicious domains tend to have a poor SEO.String
DBotPredictURLPhishing.NewDomainWhether the domain is younger than 6 months. New domains tend to be malicious.String
DBotPredictURLPhishing.TopMajesticDomainWhether the domain belongs to the top Majestic domain list. If it does, we will always consider this domain as benign.String
DBotScore.ScoreSeverity score.Number

Script Examples#

Example command#


Context Example#


Human Readable Output#

Phishing prediction summary for URLs#

URLFinal Verdict
http://google.comBenign - whitelisted