Why Sharing Phishing Intelligence Matters: Collaboration, Standards, and Trust

Shared phishing intelligence helps defenders turn isolated detections into early warnings, coordinated mitigation, and stronger protection for SMEs.

Phishing is not just a detection problem. It is a visibility problem.

Most organisations focus on identifying the malicious email that reaches an employee's inbox. But that email is one data point in a much larger infrastructure, one that no single organisation can see in full. Attackers reuse domains, hosting providers, and credential-harvesting kits across hundreds of targets simultaneously. By the time one team detects a new phishing site, the campaign may have already moved on.

Bridging this visibility gap requires a shift from isolated detection to collective intelligence. In this article, we explore why sharing phishing intelligence matters, how standards like MISP, STIX, and TAXII make that sharing actionable, and how trust frameworks like TLP make it responsible.

This visibility gap is illustrated in Figure 1, which shows how separate organisations each observe only a limited part of a broader phishing campaign infrastructure.

Illustration of a phishing infrastructure showing how a credential harvesting page is connected to a hosting server, domain registrar, target organisations, and multiple servers across a network.
Figure 1 - Different organisations only see a fraction of a global phishing campaign's infrastructure, highlighting the blind spots created by isolated defence.

Phishing Intelligence as a Collective Defence Signal

Phishing intelligence gains its value through speed and volume.

The technical signals involved, including malicious URLs, compromised domains, IP addresses linked to attacker infrastructure, and file hashes of malicious attachments, are what defenders call Indicators of Compromise, or IoCs. On their own, they help one team respond to one incident. Shared quickly, they can become a proactive block for thousands of organisations before a campaign even reaches them.

Most indicators have a short shelf life. Attackers rotate URLs and IP addresses frequently to stay ahead of blocklists. This is precisely why timely sharing matters. A detection in one network, contributed to a shared platform within minutes, can protect organisations that have not yet seen the campaign at all. Beyond individual IoCs, shared intelligence also captures infrastructure patterns: how an attacker spoofs sender addresses, which hosting environments they favour, or which phishing kits they reuse across operations.

Collaboration Across the Ecosystem

No single actor has the full picture of the phishing landscape.

Small and medium-sized enterprises are often among the first to receive signals from a new campaign targeting their sector. CERTs act as central hubs, aggregating reports from across national and sectoral boundaries. ISPs and domain registrars have visibility into the underlying infrastructure. Security researchers track threat actor behaviour and campaign patterns. Law enforcement follows the money.

Each of these actors sees a different slice of the same threat. Collaboration connects those slices. When a financial institution shares details of a newly identified phishing kit, other organisations can apply those findings immediately, without repeating the analysis from scratch. This is not just an efficiency gain; it is a structural advantage. Attackers benefit from the fragmentation of defenders. Intelligence sharing directly undermines that advantage.

Figure 2 shows how collaboration connects these different perspectives, turning isolated signals from SMEs, CERTs, ISPs, and researchers into a stronger collective defence model.

Diagram showing information exchange between a central cybersecurity platform and key stakeholders, including SMEs, domain registrars, CERT/response teams, ISPs, and security researchers.
Figure 2 - A collaboration model showing the flow of threat intelligence between SMEs, CERTs, ISPs, and researchers, illustrating how shared signals prevent redundant investigation.

Standards Make Intelligence Actionable

Raw lists of URLs are not enough.

For threat intelligence to be useful at scale, it must be structured and machine-readable. Without common formats, security teams spend time cleaning and converting data instead of acting on it. Three standards form the foundation of modern phishing intelligence sharing: MISP, STIX, and TAXII.

MISP, the Malware Information Sharing Platform, is an open-source platform used worldwide to store, correlate, and distribute threat intelligence. It organises data into events, which serve as containers for contextually linked information, and attributes, which are individual data points such as IP addresses or domain names. Crucially, MISP's correlation engine automatically surfaces relationships between unrelated incidents, identifying when the same attacker infrastructure appears across different targets, even when reported by different organisations.

STIX and TAXII complete the picture. STIX, short for Structured Threat Information eXpression, provides a standardised language for describing threats in a way both humans and machines can parse. It captures not just the indicator itself but its context: attacker motivation, capabilities, and relationships to other threats. TAXII, or Trusted Automated eXchange of Intelligence Information, defines how that STIX-formatted data is transmitted between parties via an API. Together, they ensure that intelligence produced by one platform can be ingested and acted upon by another without manual intervention.

Figure 3 illustrates this process in practice, showing how a malicious URL can be structured in STIX, exchanged through TAXII, and ingested into MISP for correlation and action.

Diagram showing the transformation of a raw malicious URL into structured STIX threat intelligence format, which is then shared with a MISP platform through an API and TAXII.
Figure 3 - An example of structured threat data, showing how a malicious URL is represented in STIX format and transmitted via TAXII to a MISP instance.

TLP and the Trust Layer

Standards solve the technical problem of sharing. Trust solves the human one.

Organisations often hesitate to share information about phishing incidents. Fears of exposing internal vulnerabilities, reputational risk, or legal complications are all legitimate barriers. The Traffic Light Protocol, or TLP, addresses this directly. It is a simple, colour-coded framework that gives the source of intelligence explicit control over how widely it can be circulated.

  • TLP:RED is for named recipients only. Information at this level must not leave the specific exchange in which it was shared.
  • TLP:AMBER permits sharing within the recipient's organisation and with clients who need it to act on the threat.
  • TLP:GREEN can be shared within a wider community or sector, but not through public channels.
  • TLP:CLEAR carries no sharing restrictions and may be made fully public.

By applying these markings, organisations can contribute sensitive data with confidence that it will be handled according to their rules. This trust layer is what makes high-speed collaboration operationally viable. Without it, the incentive to share disappears.

Credential Leaks as the Second Front

The battle against phishing does not end when a malicious page is taken down.

Removing the infrastructure prevents further victims, but it does nothing for those who have already submitted their credentials. If an attacker has successfully harvested login details, the threat remains active long after the site goes offline. According to the Verizon Data Breach Investigations Report, stolen credentials are among the most common entry points for breaches, often exploited weeks or months after initial harvest. Those credentials may sit dormant before being used in account takeovers, fraud, or business email compromise.

This is why credential leak intelligence represents a second, equally important front. When a phishing kit is analysed and found to be exfiltrating data to a specific collector, identifying that collector allows affected parties to be notified before the stolen credentials are weaponised. Early notification, such as a forced password reset or a prompt to enable multi-factor authentication, can neutralise the threat entirely. In many cases, this proactive response is more impactful than the original takedown.

How ThreatChase Brings This Together

At ThreatChase, we have built a platform that integrates these concepts into a unified defence pipeline. Our approach is grounded in the belief that effective phishing protection must be both automated and collaborative.

The Data Collector serves as our primary ingestion point, gathering signals from open-source feeds, community contributions, and our own crawlers. By centralising this data, we work to close the visibility gap, ensuring that indicators observed in one part of the ecosystem are available across the platform.

The Analysis and Detection Module provides the intelligence layer. It normalises incoming data using STIX and correlates it within our MISP environment. This module does not simply flag bad URLs. It enriches them with context, linking indicators to known phishing kits, infrastructure clusters, and campaign patterns. Raw signals become actionable intelligence.

The Mitigation and Notification Service ensures that intelligence leads to action. Validated IoCs are pushed to partner security systems via TAXII for automated blocking. Simultaneously, the service manages credential leak notifications, ensuring affected parties are informed at machine speed. TLP handling rules govern every exchange, keeping the sharing secure and trusted.

The figure below brings these components together, showing how ThreatChase links collection, analysis, mitigation, notification, and trust controls into a single intelligence-sharing pipeline.

Workflow diagram showing how threat intelligence is collected from open feeds, community contributions, and crawlers, analysed and detected, then used for mitigation, automated blocking, and credential alerts.
Figure 4 - The ThreatChase pipeline showing the flow from Data Collector through Analysis and Detection to the Mitigation and Notification Service, with MISP, STIX, TAXII, and TLP indicated at relevant stages.

Conclusion

Phishing succeeds when defenders work in isolation.

By adopting structured standards like MISP and STIX, respecting trust frameworks like TLP, and addressing the full attack lifecycle, including credential leaks, organisations can shift from reactive blocking to genuine collective defence. The visibility problem that makes phishing so persistent is solvable. But it requires a commitment to sharing: one organisation's detection becoming another's early warning.

Explore more insights in the ThreatChase project blog, including our guide to phishing protection for SMEs and our analysis of how phishing campaigns are built.

← Back to Blog

Funding

European Cybersecurity Competence Centre and Network
Co-funded by the European Union

The project funded by the European Union under Grant Agreement No. 101128042 is supported by the European Cybersecurity Competence Centre. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.

Project details

  • Project number:101128042
  • Call:DIGITAL-ECCC-2022-CYBER-03
  • Topic:DIGITAL-ECCC-2022-CYBER-03-UPTAKE-CYBERSOLUTIONS
  • Type of action:DIGITAL JU SME Support Actions
  • Project starting date:1 October 2023
  • Project end date:30 September 2026

Contact