mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
103 lines
2.2 KiB
Markdown
103 lines
2.2 KiB
Markdown
# API Reference: Spearphishing Detection via Email Gateway
|
|
|
|
## Python email Module
|
|
|
|
### Parse EML file
|
|
```python
|
|
import email
|
|
from email import policy
|
|
|
|
with open("message.eml", "rb") as f:
|
|
msg = email.message_from_binary_file(f, policy=policy.default)
|
|
```
|
|
|
|
### Security Headers
|
|
| Header | Purpose |
|
|
|--------|---------|
|
|
| `Received-SPF` | SPF check result |
|
|
| `Authentication-Results` | SPF, DKIM, DMARC combined |
|
|
| `DKIM-Signature` | DKIM signing info |
|
|
| `ARC-Authentication-Results` | ARC chain results |
|
|
| `X-Mailer` | Client used to send |
|
|
| `Return-Path` | Envelope sender |
|
|
|
|
### Authentication-Results Values
|
|
```
|
|
Authentication-Results: mx.google.com;
|
|
dkim=pass header.d=example.com;
|
|
spf=pass smtp.mailfrom=example.com;
|
|
dmarc=pass
|
|
```
|
|
|
|
## SPF Record Lookup
|
|
```bash
|
|
dig TXT example.com | grep "v=spf1"
|
|
# v=spf1 include:_spf.google.com ~all
|
|
```
|
|
|
|
### SPF Results
|
|
| Result | Meaning |
|
|
|--------|---------|
|
|
| `pass` | Authorized sender |
|
|
| `fail` | Unauthorized (reject) |
|
|
| `softfail` | Unauthorized (accept with mark) |
|
|
| `neutral` | No assertion |
|
|
| `none` | No SPF record |
|
|
|
|
## DKIM Verification
|
|
```bash
|
|
opendkim-testkey -d example.com -s selector -vvv
|
|
```
|
|
|
|
## DMARC Record
|
|
```bash
|
|
dig TXT _dmarc.example.com
|
|
# v=DMARC1; p=reject; rua=mailto:dmarc@example.com
|
|
```
|
|
|
|
## Microsoft Defender for Office 365 API
|
|
|
|
### Get email threat assessment
|
|
```http
|
|
POST https://graph.microsoft.com/v1.0/informationProtection/threatAssessmentRequests
|
|
Authorization: Bearer {token}
|
|
|
|
{
|
|
"contentType": "mail",
|
|
"expectedAssessment": "block",
|
|
"category": "phishing",
|
|
"mailInfo": {
|
|
"internetMessageId": "<message-id>"
|
|
}
|
|
}
|
|
```
|
|
|
|
## Proofpoint TAP API
|
|
|
|
### Get blocked messages
|
|
```http
|
|
GET https://tap-api-v2.proofpoint.com/v2/siem/messages/blocked
|
|
?sinceSeconds=3600
|
|
Authorization: Basic {base64_credentials}
|
|
```
|
|
|
|
### Response Fields
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `spamScore` | Spam confidence (0-100) |
|
|
| `phishScore` | Phishing confidence (0-100) |
|
|
| `threatsInfoMap` | Threat details array |
|
|
| `fromAddress` | Envelope sender |
|
|
|
|
## Mimecast API — URL Protection
|
|
|
|
### Decode Mimecast URL
|
|
```http
|
|
POST https://api.mimecast.com/api/ttp/url/decode-url
|
|
Authorization: MC {access-key}:{secret-key}
|
|
|
|
{
|
|
"data": [{"url": "https://protect.mimecast.com/..."}]
|
|
}
|
|
```
|