Files
Anthropic-Cybersecurity-Skills/skills/detecting-spearphishing-with-email-gateway/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.2 KiB

API Reference: Spearphishing Detection via Email Gateway

Python email Module

Parse EML file

import email
from email import policy

with open("message.eml", "rb") as f:
    msg = email.message_from_binary_file(f, policy=policy.default)

Security Headers

Header Purpose
Received-SPF SPF check result
Authentication-Results SPF, DKIM, DMARC combined
DKIM-Signature DKIM signing info
ARC-Authentication-Results ARC chain results
X-Mailer Client used to send
Return-Path Envelope sender

Authentication-Results Values

Authentication-Results: mx.google.com;
    dkim=pass header.d=example.com;
    spf=pass smtp.mailfrom=example.com;
    dmarc=pass

SPF Record Lookup

dig TXT example.com | grep "v=spf1"
# v=spf1 include:_spf.google.com ~all

SPF Results

Result Meaning
pass Authorized sender
fail Unauthorized (reject)
softfail Unauthorized (accept with mark)
neutral No assertion
none No SPF record

DKIM Verification

opendkim-testkey -d example.com -s selector -vvv

DMARC Record

dig TXT _dmarc.example.com
# v=DMARC1; p=reject; rua=mailto:dmarc@example.com

Microsoft Defender for Office 365 API

Get email threat assessment

POST https://graph.microsoft.com/v1.0/informationProtection/threatAssessmentRequests
Authorization: Bearer {token}

{
  "contentType": "mail",
  "expectedAssessment": "block",
  "category": "phishing",
  "mailInfo": {
    "internetMessageId": "<message-id>"
  }
}

Proofpoint TAP API

Get blocked messages

GET https://tap-api-v2.proofpoint.com/v2/siem/messages/blocked
    ?sinceSeconds=3600
Authorization: Basic {base64_credentials}

Response Fields

Field Description
spamScore Spam confidence (0-100)
phishScore Phishing confidence (0-100)
threatsInfoMap Threat details array
fromAddress Envelope sender

Mimecast API — URL Protection

Decode Mimecast URL

POST https://api.mimecast.com/api/ttp/url/decode-url
Authorization: MC {access-key}:{secret-key}

{
  "data": [{"url": "https://protect.mimecast.com/..."}]
}