mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.9 KiB
1.9 KiB
API Reference: Detecting Business Email Compromise
Python email Library
import email
from email import policy
# Parse .eml file
with open("message.eml") as f:
msg = email.message_from_file(f, policy=policy.default)
msg.get("From") # sender header
msg.get("Reply-To") # reply-to header
msg.get("Authentication-Results") # SPF/DKIM/DMARC results
body = msg.get_body(preferencelist=("plain", "html"))
body.get_content() # decoded body text
Authentication Header Patterns
| Result | Meaning |
|---|---|
spf=pass |
Sender IP authorized by domain SPF record |
spf=fail |
Sender IP NOT in SPF record |
dkim=pass |
DKIM signature valid |
dkim=fail |
DKIM signature invalid or missing |
dmarc=pass |
SPF or DKIM aligned with From domain |
dmarc=fail |
Neither SPF nor DKIM aligned |
BEC Attack Types (FBI IC3)
| Type | Description |
|---|---|
| CEO Fraud | Impersonates executive requesting wire transfer |
| Invoice Fraud | Fake invoice with changed bank details |
| Account Compromise | Compromised email used for payment requests |
| Attorney Impersonation | Urgent legal matter requiring funds |
| Data Theft | Requests for W-2 / PII from HR |
BEC Indicator Regex Patterns
# Financial urgency
r"\b(wire transfer|bank transfer|routing number)\b"
# Secrecy pressure
r"\b(confidential|do not share|keep this between us)\b"
# Gift card fraud
r"\b(gift card|bitcoin|crypto|western union)\b"
# Account change
r"\b(change.*(bank|account|payment))\b"
Microsoft Graph API - Mail Security
GET https://graph.microsoft.com/v1.0/me/messages?$filter=internetMessageHeaders/any(h: h/name eq 'Authentication-Results')
Authorization: Bearer {token}
CLI Usage
python agent.py --email-file suspicious.eml --vip-names "John Smith" "Jane CEO"
python agent.py --scan-dir /var/mail/quarantine/ --vip-names "CFO Name"