POST/api/v1/phishing/enrich

IOC Enrichment

Enrich indicators of compromise against multiple threat intelligence providers including VirusTotal, AbuseIPDB, Shodan, OTX, URLscan, and more. Returns aggregated verdicts and per-provider details.

This endpoint is part of the Phishing Analysis workflow (2 credits flat). For standalone IOC enrichment with per-indicator pricing, see the IOC Enrichment API (3 credits per indicator).

Credits

Per request

Max Indicators

Per request

Plans

All

Free, Starter, Professional, Enterprise

Timeout

60s

Per request

Supported Indicator Types

Type	Example	Notes
ip	185.220.101.42	IPv4 addresses
domain	evil-domain.com	Domain names without protocol
url	https://malware.example.com/payload	Full URLs (SSRF-protected)
hash	44d88612fea8a8f36de82e1278abb02f	MD5, SHA-1, or SHA-256
email	attacker@phishing.com	Email addresses

Flat 2 credits per request. This endpoint charges a flat 2 credits per request, regardless of indicator count. Credits are deducted before enrichment begins.

Individual provider failures are graceful. If a single provider times out or errors, the indicator still returns results from the remaining providers. Only that provider is marked as unknown in the response.

URL-type indicators have SSRF protection. URLs pointing to private/internal IP ranges are rejected to prevent server-side request forgery.

Score thresholds: >=70 malicious, >=30 suspicious, <30 clean. An indicator with no provider data returns unknown.

Request Body

Field	Type	Required	Description
indicators	object[]	Yes	Array of 1–10 indicator objects
indicators[].type	string	Yes	One of `ip`, `domain`, `url`, `hash`, `email`
indicators[].value	string	Yes	Non-empty string, max 2048 characters

Code Examples

cURL

curl -X POST https://api.dfir-lab.ch/v1/phishing/enrich \
  -H "Authorization: Bearer sk-dfir-your-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "ip", "value": "185.220.101.42" },
      { "type": "domain", "value": "evil-domain.com" },
      { "type": "hash", "value": "44d88612fea8a8f36de82e1278abb02f" }
    ]
  }'

Python

import requests

response = requests.post(
    "https://api.dfir-lab.ch/v1/phishing/enrich",
    headers={
        "Authorization": "Bearer sk-dfir-your-key-here",
        "Content-Type": "application/json",
    },
    json={
        "indicators": [
            {"type": "ip", "value": "185.220.101.42"},
            {"type": "domain", "value": "evil-domain.com"},
            {"type": "hash", "value": "44d88612fea8a8f36de82e1278abb02f"},
        ]
    },
)

data = response.json()
for result in data["data"]["results"]:
    ioc = result["indicator"]
    verdict = result["verdict"]
    score = result["score"]
    print(f"{ioc['type']}:{ioc['value']} -> {verdict} (score: {score})")

summary = data["data"]["summary"]
print(f"\nSummary: {summary['malicious']} malicious, "
      f"{summary['suspicious']} suspicious, {summary['clean']} clean")

TypeScript

const response = await fetch("https://api.dfir-lab.ch/v1/phishing/enrich", {
  method: "POST",
  headers: {
    Authorization: "Bearer sk-dfir-your-key-here",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    indicators: [
      { type: "ip", value: "185.220.101.42" },
      { type: "domain", value: "evil-domain.com" },
      { type: "hash", value: "44d88612fea8a8f36de82e1278abb02f" },
    ],
  }),
});

const { data, meta } = await response.json();

for (const result of data.results) {
  console.log(
    `${result.indicator.type}:${result.indicator.value} -> ` +
    `${result.verdict} (score: ${result.score})`
  );
}

console.log(`Credits used: ${meta.credits_used}, remaining: ${meta.credits_remaining}`);

Example Response

{
  "data": {
    "results": [
      {
        "indicator": { "type": "ip", "value": "185.220.101.42" },
        "verdict": "malicious",
        "score": 85,
        "providers": {
          "virustotal": {
            "verdict": "malicious",
            "score": 90,
            "details": {
              "positives": 12,
              "total": 94,
              "as_owner": "Tor Exit Node"
            }
          },
          "abuseipdb": {
            "verdict": "suspicious",
            "score": 75,
            "details": {
              "total_reports": 342,
              "confidence_score": 75,
              "categories": ["SSH Brute-Force", "Port Scan"]
            }
          },
          "shodan": {
            "verdict": "suspicious",
            "score": 60,
            "details": {
              "ports": [22, 80, 443],
              "org": "Tor Network",
              "os": "Linux"
            }
          }
        },
        "enriched_at": "2026-03-24T12:34:56.789Z"
      },
      {
        "indicator": { "type": "domain", "value": "evil-domain.com" },
        "verdict": "suspicious",
        "score": 45,
        "providers": {
          "virustotal": {
            "verdict": "suspicious",
            "score": 45,
            "details": {
              "positives": 3,
              "total": 94
            }
          },
          "urlscan": {
            "verdict": "clean",
            "score": 10,
            "details": {
              "malicious": false,
              "categories": []
            }
          }
        },
        "enriched_at": "2026-03-24T12:34:57.123Z"
      },
      {
        "indicator": { "type": "hash", "value": "44d88612fea8a8f36de82e1278abb02f" },
        "verdict": "unknown",
        "score": 0,
        "providers": {},
        "enriched_at": "2026-03-24T12:34:57.456Z"
      }
    ],
    "summary": {
      "total": 3,
      "malicious": 1,
      "suspicious": 1,
      "clean": 0,
      "unknown": 1
    }
  },
  "meta": {
    "request_id": "req_abc123def456",
    "credits_used": 2,
    "credits_remaining": 97,
    "processing_time_ms": 3450
  }
}