Files
Anthropic-Cybersecurity-Skills/skills/detecting-business-email-compromise/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.9 KiB

API Reference: Detecting Business Email Compromise

Python email Library

import email
from email import policy

# Parse .eml file
with open("message.eml") as f:
    msg = email.message_from_file(f, policy=policy.default)

msg.get("From")                # sender header
msg.get("Reply-To")            # reply-to header
msg.get("Authentication-Results")  # SPF/DKIM/DMARC results
body = msg.get_body(preferencelist=("plain", "html"))
body.get_content()             # decoded body text

Authentication Header Patterns

Result Meaning
spf=pass Sender IP authorized by domain SPF record
spf=fail Sender IP NOT in SPF record
dkim=pass DKIM signature valid
dkim=fail DKIM signature invalid or missing
dmarc=pass SPF or DKIM aligned with From domain
dmarc=fail Neither SPF nor DKIM aligned

BEC Attack Types (FBI IC3)

Type Description
CEO Fraud Impersonates executive requesting wire transfer
Invoice Fraud Fake invoice with changed bank details
Account Compromise Compromised email used for payment requests
Attorney Impersonation Urgent legal matter requiring funds
Data Theft Requests for W-2 / PII from HR

BEC Indicator Regex Patterns

# Financial urgency
r"\b(wire transfer|bank transfer|routing number)\b"
# Secrecy pressure
r"\b(confidential|do not share|keep this between us)\b"
# Gift card fraud
r"\b(gift card|bitcoin|crypto|western union)\b"
# Account change
r"\b(change.*(bank|account|payment))\b"

Microsoft Graph API - Mail Security

GET https://graph.microsoft.com/v1.0/me/messages?$filter=internetMessageHeaders/any(h: h/name eq 'Authentication-Results')
Authorization: Bearer {token}

CLI Usage

python agent.py --email-file suspicious.eml --vip-names "John Smith" "Jane CEO"
python agent.py --scan-dir /var/mail/quarantine/ --vip-names "CFO Name"