Files
Anthropic-Cybersecurity-Skills/skills/hunting-for-spearphishing-indicators/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.8 KiB

API Reference: Hunting for Spearphishing Indicators

Email Header Analysis

import email
from email import policy

msg = email.message_from_file(open("suspect.eml"), policy=policy.default)
print(msg["From"], msg["Return-Path"], msg["Received"])
print(msg["Authentication-Results"])  # SPF/DKIM/DMARC

Suspicious Attachment Types

Extension Risk Technique
.exe, .scr, .dll CRITICAL T1566.001
.xlsm, .docm HIGH T1566.001 (macros)
.iso, .img, .lnk HIGH T1566.001 (MOTW bypass)
.html, .htm HIGH HTML Smuggling
.zip, .rar MEDIUM Archive with payload

Splunk SPL - Phishing Detection

index=email sourcetype=exchange
| where match(attachment_name, "(?i)\.(exe|scr|iso|lnk|docm|xlsm|hta)$")
| stats count by sender, recipient, attachment_name, subject
| where count > 3

KQL - Microsoft Defender for Office 365

EmailAttachmentInfo
| where FileType in ("exe", "scr", "iso", "lnk", "docm", "xlsm")
| join kind=inner EmailEvents on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName

Phishing URL Patterns

patterns = [
    r"https?://bit\.ly/",           # URL shorteners
    r"https?://\d+\.\d+\.\d+\.\d+", # IP-based URLs
    r"https?://[^/]*login[^/]*\.",   # Credential harvesting
    r"https?://[^/]*\.(top|xyz)/",   # Suspicious TLDs
]

SPF/DKIM/DMARC Validation

import spf
result, _, _ = spf.check2(ip="1.2.3.4", sender="user@example.com", helo="mail.example.com")
# result: 'pass', 'fail', 'softfail', 'neutral', 'none'

References