Threat-intelligence feed

OpenPhish Feed

PhishingLast verified 2026-05-09Page fetched Wed, 20 May 2026 13:43:12 GMT

OpenPhish Feed is a phishing threat-intelligence feed tracked by WhisperGraph as a FEED_SOURCE node. The Whisper Internet Directory publishes this page so security analysts and LLM agents can link to it as a stable record for OpenPhish Feed.

What is OpenPhish Feed

OpenPhish Feed is the public-tier phishing-URL feed from OpenPhish, a long-running automated phishing-detection service. It enumerates URLs (and the underlying domains/hosts) currently confirmed to be hosting active credential-harvest pages. The free public feed is rate-limited and lags the commercial premium tier, but is sufficient for SOC enrichment, browser-extension allow-list work, and research. Detection is automated using a combination of URL clustering, brand-similarity matching against legitimate origins, and active-page content inspection; verified-phish entries pass through a confidence threshold before publication. It is indexed here because OpenPhish is one of the most cited phishing feeds in academic measurement work.

Feed metadata

Display name: OpenPhish Feed
URL slug: openphish-feed
Graph identifier: openphish
Category: Phishing
Refresh cadence: hourly
Source: openphish.com

Live graph data

FEED_SOURCE node confirmed. WhisperGraph carries this feed under the same category (Phishing) as the editorial entry above. The graph identifier openphish matches the live f.id property.

Indicators currently listed

Live indicator listings: not yet available. WhisperGraph's LISTED_INedge is virtual and not enumerable from the feed side — there is no query-tractable way today to fetch the IPs and hostnames listed in this feed without first visiting every candidate indicator. Indicator-anchored queries work in the opposite direction (see the Cypher snippet below) and the directory's individual IP and host pages surface their feed memberships individually. Per-feed enumeration (an indicator count and sample of representative indicators) is on the roadmap.

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE)
WHERE f.name = "OpenPhish Feed"
WITH f
MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "OpenPhish Feed"})
OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

Pivot from OpenPhish Feed into adjacent entities.

What is OpenPhish Feed

Indicators currently listed

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE) WHERE f.name = "OpenPhish Feed" WITH f MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "OpenPhish Feed"}) OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

OpenPhish Feed

What is OpenPhish Feed

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages

OpenPhish Feed

What is OpenPhish Feed

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages