creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-phishing-reporting-button-workflow/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

65 lines
1.8 KiB
Markdown
Raw Blame History

# API Reference: Phishing Reporting Button Workflow
## Email Parsing (Python email module)
```python
from email import policy
from email.parser import BytesParser
with open("report.eml", "rb") as f:
msg = BytesParser(policy=policy.default).parse(f)
headers = {
"from": msg["From"], "subject": msg["Subject"],
"reply_to": msg["Reply-To"], "received": msg.get_all("Received")
}
```
## Phishing Indicators
| Indicator | Weight | Description |
|-----------|--------|-------------|
| Reply-To mismatch | 20 | From and Reply-To differ |
| SPF/DKIM fail | 25 | Authentication failure |
| Suspicious language | 10 | Urgency/credential patterns |
| Suspicious URL | 15 | Known bad TLDs or redirectors |
| Dangerous attachment | 30 | Executable file extensions |
## VirusTotal URL Scan
```
GET https://www.virustotal.com/api/v3/urls/{url_id}
x-apikey: YOUR_KEY
```
URL ID = base64url(url) or sha256(url)
## Dangerous File Extensions
| Category | Extensions |
|----------|-----------|
| Executables | `.exe`, `.scr`, `.bat`, `.cmd` |
| Scripts | `.js`, `.vbs`, `.ps1`, `.hta` |
| Disk images | `.iso`, `.img`, `.vhd` |
| Archives | `.zip` (password-protected), `.rar` |
| Documents | `.docm`, `.xlsm` (macro-enabled) |
## Verdict Classification
| Score | Verdict | Action |
|-------|---------|--------|
| >= 50 | Phishing | Block sender, quarantine, create ticket |
| 25-49 | Suspicious | Analyst review required |
| < 25 | Benign | Close report, notify user |
## Ticketing Integration
```
POST /api/v2/tickets
Authorization: Bearer TOKEN
{
"title": "Phishing Report: ...",
"severity": "high",
"description": "...",
"indicators": ["Reply-To mismatch", ...]
}
```
## Microsoft Report Message Add-in
```
POST https://graph.microsoft.com/v1.0/users/{id}/messages/{msgId}/move
{"destinationId": "phishing-mailbox-id"}
```
Reference in New Issue View Git Blame Copy Permalink