phishing defense

Building Phishing Reporting Button Workflow

Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters.

email-securityincident-responsemicrosoft-365outlookphishing-reportingsecurity-awarenesssoar
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations.

When to Use

  • When deploying or configuring building phishing reporting button workflow capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Microsoft 365 or Google Workspace with administrative access
  • SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR)
  • Dedicated reporting mailbox for phishing submissions
  • Email security gateway with message retraction capability
  • Security awareness training platform for feedback loop

Workflow

Step 1: Deploy Phishing Report Button

  • Enable Microsoft built-in Report button via Security & Compliance Center
  • Configure user reported settings: route to reporting mailbox and Microsoft
  • For third-party: deploy KnowBe4 Phish Alert Button or Cofense Reporter
  • Verify button appears in Outlook desktop, web, and mobile clients
  • Configure report options: Report Phishing, Report Junk, Report Not Junk

Step 2: Build Automated Triage Pipeline

  • Configure reporting mailbox monitored by SOAR platform
  • Auto-extract IOCs from reported emails: URLs, attachments, sender info, headers
  • Submit URLs to VirusTotal, URLScan.io for reputation check
  • Submit attachments to sandbox for dynamic analysis
  • Check sender against known threat intelligence feeds
  • Auto-classify: confirmed phishing, spam, simulation, legitimate

Step 3: Implement Response Actions

  • Confirmed phishing: auto-retract from all inboxes, block sender domain
  • Confirmed spam: move to junk for all recipients
  • Simulation email: mark as correctly reported, credit user
  • Legitimate email: return to inbox, notify reporter
  • Generate IOC report for threat intelligence team

Step 4: Create Feedback Loop

  • Send automated thank-you response to reporter within 5 minutes
  • Include classification result when analysis completes
  • Track reporter accuracy and engagement metrics
  • Recognize top reporters in monthly security newsletter
  • Feed reporting metrics into security awareness training program

Step 5: Measure and Optimize

  • Track mean time to triage (target: under 10 minutes automated)
  • Monitor report volume trends and false positive rates
  • Measure user reporting rate in phishing simulations
  • Report on confirmed threats caught by user reports vs. gateway
  • Optimize automation rules based on classification accuracy

Tools & Resources

  • Microsoft Report Button: Built-in Outlook phishing reporting
  • Cofense Reporter + Triage: Enterprise phishing reporting and automated analysis
  • KnowBe4 Phish Alert Button: Integrated reporting with simulation platform
  • Microsoft Sentinel: SOAR automation for triage workflow
  • Proofpoint CLEAR: Closed-loop email analysis and response

Validation

  • Report button visible and functional across all Outlook platforms
  • Reported email arrives in dedicated mailbox within 60 seconds
  • Automated triage classifies test phishing email correctly
  • Auto-retraction removes confirmed phishing from all inboxes
  • Reporter receives feedback notification with classification
  • Metrics dashboard shows report volume and accuracy trends
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.8 KB

API Reference: Phishing Reporting Button Workflow

Email Parsing (Python email module)

from email import policy
from email.parser import BytesParser
 
with open("report.eml", "rb") as f:
    msg = BytesParser(policy=policy.default).parse(f)
headers = {
    "from": msg["From"], "subject": msg["Subject"],
    "reply_to": msg["Reply-To"], "received": msg.get_all("Received")
}

Phishing Indicators

Indicator Weight Description
Reply-To mismatch 20 From and Reply-To differ
SPF/DKIM fail 25 Authentication failure
Suspicious language 10 Urgency/credential patterns
Suspicious URL 15 Known bad TLDs or redirectors
Dangerous attachment 30 Executable file extensions

VirusTotal URL Scan

GET https://www.virustotal.com/api/v3/urls/{url_id}
x-apikey: YOUR_KEY

URL ID = base64url(url) or sha256(url)

Dangerous File Extensions

Category Extensions
Executables .exe, .scr, .bat, .cmd
Scripts .js, .vbs, .ps1, .hta
Disk images .iso, .img, .vhd
Archives .zip (password-protected), .rar
Documents .docm, .xlsm (macro-enabled)

Verdict Classification

Score Verdict Action
>= 50 Phishing Block sender, quarantine, create ticket
25-49 Suspicious Analyst review required
< 25 Benign Close report, notify user

Ticketing Integration

POST /api/v2/tickets
Authorization: Bearer TOKEN
{
  "title": "Phishing Report: ...",
  "severity": "high",
  "description": "...",
  "indicators": ["Reply-To mismatch", ...]
}

Microsoft Report Message Add-in

POST https://graph.microsoft.com/v1.0/users/{id}/messages/{msgId}/move
{"destinationId": "phishing-mailbox-id"}
standards.md1.3 KB

Standards & References: Building Phishing Reporting Button Workflow

MITRE ATT&CK References

  • T1566.001: Phishing: Spearphishing Attachment
  • T1566.002: Phishing: Spearphishing Link
  • T1204: User Execution
  • D3-RERE: User Reporting (MITRE D3FEND)

Industry Standards

  • NIST SP 800-61 Rev.2: Computer Security Incident Handling Guide
  • CIS Controls v8 Control 14: Security Awareness and Skills Training
  • ISO 27001 A.6.3: Information Security Awareness, Education and Training

Reporting Platform Comparison

Platform Type Integration Auto-Triage
Microsoft Report Button Built-in M365 native Via Sentinel/API
Cofense Reporter + Triage Third-party M365, Google Yes (Cofense Triage)
KnowBe4 PAB Third-party M365, Google Yes (KMSAT)
Proofpoint CLEAR Third-party M365, Google Yes (built-in)
Hoxhunt Third-party M365, Google Yes (AI-powered)

Key Metrics

  • Report Rate: Percentage of phishing simulations reported (target: >70%)
  • Mean Time to Triage: Time from report to classification (target: <10 min)
  • False Positive Rate: Legitimate emails reported as phishing
  • Threat Catch Rate: Real threats first detected by user reports
  • Reporter Accuracy: Percentage of reports that are actual threats
workflows.md1.8 KB

Workflows: Building Phishing Reporting Button Workflow

Workflow 1: Automated Phishing Report Triage

User clicks "Report Phishing" button
  |
  v
[Email forwarded to reporting mailbox]
  +-- Original email preserved with full headers
  +-- Reporter identity recorded
  |
  v
[SOAR platform ingests report]
  |
  v
[Automated IOC extraction]
  +-- Extract sender address and domain
  +-- Extract all URLs from body
  +-- Extract attachment hashes (MD5, SHA256)
  +-- Parse email headers for authentication results
  |
  v
[Automated analysis (parallel)]
  +-- URLs -> VirusTotal, URLScan.io, PhishTank
  +-- Attachments -> Sandbox detonation
  +-- Sender -> Threat intelligence lookup
  +-- Headers -> SPF/DKIM/DMARC validation
  |
  v
[Classification]
  +-- CONFIRMED PHISHING: High-confidence malicious
  +-- SUSPICIOUS: Moderate indicators, needs analyst review
  +-- SPAM: Unwanted but not malicious
  +-- SIMULATION: Matches internal phishing test
  +-- CLEAN: Legitimate email, false report
  |
  v
[Automated response by classification]
  +-- PHISHING: Retract from all inboxes + block sender
  +-- SUSPICIOUS: Escalate to SOC analyst
  +-- SPAM: Move to junk for all recipients
  +-- SIMULATION: Credit reporter in training platform
  +-- CLEAN: Return to inbox
  |
  v
[Feedback to reporter]
  +-- "Thank you for reporting" (immediate)
  +-- Classification result (when complete)
  +-- Training tip (if false positive)

Workflow 2: SOC Analyst Escalation

SOAR classifies report as SUSPICIOUS
  |
  v
[SOC analyst reviews]
  +-- Examine full email content and headers
  +-- Verify automated analysis results
  +-- Check for similar reports from other users
  |
  v
[Analyst decision]
  +-- Confirm malicious --> Trigger remediation playbook
  +-- Confirm clean --> Close and notify reporter
  +-- Need more info --> Contact reporter for context

Scripts 2

agent.py7.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Phishing Reporting Button Workflow Agent - Processes user-reported phishing emails via button integration."""

import json
import logging
import argparse
import re
import hashlib
from datetime import datetime
from email import policy
from email.parser import BytesParser

import requests

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

SUSPICIOUS_PATTERNS = [
    re.compile(r"urgent|immediate action|verify your account|click here now", re.IGNORECASE),
    re.compile(r"password.*expir|account.*suspend|unusual.*activity", re.IGNORECASE),
    re.compile(r"wire transfer|bitcoin|gift card|western union", re.IGNORECASE),
    re.compile(r"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}", re.IGNORECASE),
]

URL_PATTERN = re.compile(r"https?://[^\s\"'<>]+")


def parse_reported_email(eml_path):
    """Parse a reported phishing email from .eml file."""
    with open(eml_path, "rb") as f:
        msg = BytesParser(policy=policy.default).parse(f)
    headers = {
        "from": msg.get("From", ""),
        "to": msg.get("To", ""),
        "subject": msg.get("Subject", ""),
        "date": msg.get("Date", ""),
        "return_path": msg.get("Return-Path", ""),
        "reply_to": msg.get("Reply-To", ""),
        "message_id": msg.get("Message-ID", ""),
        "received": [str(h) for h in msg.get_all("Received", [])],
    }
    body = ""
    if msg.is_multipart():
        for part in msg.walk():
            ct = part.get_content_type()
            if ct == "text/plain":
                body = part.get_content()
                break
            elif ct == "text/html" and not body:
                body = part.get_content()
    else:
        body = msg.get_content()
    attachments = []
    for part in msg.walk():
        fn = part.get_filename()
        if fn:
            content = part.get_payload(decode=True)
            attachments.append({"filename": fn, "size": len(content) if content else 0,
                                "sha256": hashlib.sha256(content).hexdigest() if content else ""})
    logger.info("Parsed email: subject='%s', %d attachments", headers["subject"], len(attachments))
    return {"headers": headers, "body": body[:5000], "attachments": attachments}


def analyze_email(parsed):
    """Analyze reported email for phishing indicators."""
    findings = []
    score = 0
    headers = parsed["headers"]
    body = parsed.get("body", "")
    from_addr = headers.get("from", "")
    reply_to = headers.get("reply_to", "")
    if reply_to and reply_to != from_addr:
        findings.append({"indicator": "Reply-To mismatch", "detail": f"From: {from_addr}, Reply-To: {reply_to}", "weight": 20})
        score += 20
    auth_results = headers.get("authentication_results", "")
    if "spf=fail" in auth_results.lower() or "dkim=fail" in auth_results.lower():
        findings.append({"indicator": "Email authentication failure", "detail": auth_results[:200], "weight": 25})
        score += 25
    for pat in SUSPICIOUS_PATTERNS:
        matches = pat.findall(body)
        if matches:
            findings.append({"indicator": "Suspicious language", "detail": matches[0][:100], "weight": 10})
            score += 10
    urls = URL_PATTERN.findall(body)
    suspicious_urls = [u for u in urls if any(kw in u.lower() for kw in [".tk", ".ml", ".ga", "bit.ly",
                       "tinyurl", "redirect", "login", "verify", "secure-"])]
    if suspicious_urls:
        findings.append({"indicator": "Suspicious URLs", "detail": suspicious_urls[:5], "weight": 15})
        score += 15 * len(suspicious_urls[:3])
    for att in parsed.get("attachments", []):
        fn = att["filename"].lower()
        if any(fn.endswith(ext) for ext in [".exe", ".scr", ".js", ".vbs", ".bat", ".ps1", ".hta", ".iso", ".img"]):
            findings.append({"indicator": "Dangerous attachment", "detail": att["filename"], "weight": 30})
            score += 30
    verdict = "phishing" if score >= 50 else "suspicious" if score >= 25 else "benign"
    return {"score": min(score, 100), "verdict": verdict, "findings": findings, "url_count": len(urls),
            "attachment_count": len(parsed.get("attachments", []))}


def check_urls_virustotal(urls, api_key):
    """Check extracted URLs against VirusTotal."""
    results = []
    for url in urls[:5]:
        try:
            url_id = hashlib.sha256(url.encode()).hexdigest()
            resp = requests.get(f"https://www.virustotal.com/api/v3/urls/{url_id}",
                                headers={"x-apikey": api_key}, timeout=10)
            if resp.status_code == 200:
                stats = resp.json().get("data", {}).get("attributes", {}).get("last_analysis_stats", {})
                results.append({"url": url, "malicious": stats.get("malicious", 0), "suspicious": stats.get("suspicious", 0)})
        except requests.RequestException:
            results.append({"url": url, "error": "lookup_failed"})
    return results


def create_ticket(analysis, parsed, ticketing_url=None, api_key=None):
    """Create incident ticket from analysis results."""
    ticket = {
        "title": f"Phishing Report: {parsed['headers'].get('subject', 'No Subject')[:80]}",
        "severity": "high" if analysis["verdict"] == "phishing" else "medium" if analysis["verdict"] == "suspicious" else "low",
        "description": f"User-reported phishing email. Verdict: {analysis['verdict']} (score: {analysis['score']})",
        "indicators": [f["indicator"] for f in analysis["findings"]],
        "reported_from": parsed["headers"].get("to", ""),
        "suspicious_sender": parsed["headers"].get("from", ""),
    }
    if ticketing_url and api_key:
        try:
            resp = requests.post(f"{ticketing_url}/api/v2/tickets",
                                 headers={"Authorization": f"Bearer {api_key}"}, json=ticket, timeout=10)
            ticket["ticket_id"] = resp.json().get("id")
        except requests.RequestException:
            ticket["ticket_id"] = "creation_failed"
    return ticket


def generate_report(parsed, analysis, ticket):
    """Generate phishing report workflow report."""
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "email_subject": parsed["headers"].get("subject", ""),
        "sender": parsed["headers"].get("from", ""),
        "analysis": analysis,
        "ticket": ticket,
    }
    print(f"PHISHING REPORT: {analysis['verdict'].upper()} (score={analysis['score']}), "
          f"{len(analysis['findings'])} indicators")
    return report


def main():
    parser = argparse.ArgumentParser(description="Phishing Reporting Button Workflow Agent")
    parser.add_argument("--eml-file", required=True, help="Path to reported .eml file")
    parser.add_argument("--vt-key", help="VirusTotal API key for URL checks")
    parser.add_argument("--output", default="phishing_report.json")
    args = parser.parse_args()

    parsed = parse_reported_email(args.eml_file)
    analysis = analyze_email(parsed)
    ticket = create_ticket(analysis, parsed)
    report = generate_report(parsed, analysis, ticket)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Report saved to %s", args.output)


if __name__ == "__main__":
    main()
process.py10.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Phishing Report Triage Engine

Processes user-reported phishing emails, extracts IOCs,
performs automated analysis, and classifies the report.

Usage:
    python process.py triage --eml-file reported_email.eml
    python process.py metrics --reports-file reports.json
    python process.py extract-iocs --eml-file reported_email.eml
"""

import argparse
import json
import re
import hashlib
import sys
from dataclasses import dataclass, field, asdict
from collections import Counter
from datetime import datetime


@dataclass
class ExtractedIOCs:
    """IOCs extracted from reported email."""
    sender_address: str = ""
    sender_domain: str = ""
    reply_to: str = ""
    urls: list = field(default_factory=list)
    domains: list = field(default_factory=list)
    attachment_names: list = field(default_factory=list)
    attachment_hashes: list = field(default_factory=list)
    ip_addresses: list = field(default_factory=list)
    subject: str = ""


@dataclass
class TriageResult:
    """Triage classification result."""
    report_id: str = ""
    reporter: str = ""
    classification: str = ""
    confidence: float = 0.0
    iocs: dict = field(default_factory=dict)
    indicators: list = field(default_factory=list)
    recommended_action: str = ""
    auto_actionable: bool = False


@dataclass
class ReportingMetrics:
    """Phishing reporting program metrics."""
    total_reports: int = 0
    confirmed_phishing: int = 0
    confirmed_spam: int = 0
    simulation_reports: int = 0
    false_positives: int = 0
    mean_triage_time_min: float = 0.0
    top_reporters: list = field(default_factory=list)
    report_rate: float = 0.0


PHISHING_INDICATORS = [
    (r'\burgent\b.*\b(action|response|attention)\b', "Urgency language", 15),
    (r'\b(verify|confirm|validate)\s+your\s+(account|identity|password)\b', "Credential request", 20),
    (r'\b(click|follow)\s+(here|this|the)\s+(link|button)\b', "Click-bait language", 10),
    (r'\b(suspended|locked|disabled|compromised)\s+(account|access)\b', "Fear language", 15),
    (r'\b(wire\s+transfer|payment|invoice|bank)\b', "Financial language", 10),
    (r'\bgift\s+card\b', "Gift card request", 20),
    (r'\bdo\s+not\s+(share|tell|discuss)\b', "Secrecy language", 15),
]


def extract_iocs(eml_content: str) -> ExtractedIOCs:
    """Extract IOCs from email content."""
    iocs = ExtractedIOCs()

    # Extract From
    from_match = re.search(r'^From:\s*(?:.*<)?([^>\s]+@[^>\s]+)', eml_content,
                           re.MULTILINE | re.IGNORECASE)
    if from_match:
        iocs.sender_address = from_match.group(1).strip()
        domain_match = re.search(r'@([\w.-]+)', iocs.sender_address)
        if domain_match:
            iocs.sender_domain = domain_match.group(1)

    # Extract Reply-To
    reply_match = re.search(r'^Reply-To:\s*(?:.*<)?([^>\s]+@[^>\s]+)', eml_content,
                            re.MULTILINE | re.IGNORECASE)
    if reply_match:
        iocs.reply_to = reply_match.group(1).strip()

    # Extract Subject
    subj_match = re.search(r'^Subject:\s*(.+)$', eml_content, re.MULTILINE | re.IGNORECASE)
    if subj_match:
        iocs.subject = subj_match.group(1).strip()

    # Extract URLs
    urls = re.findall(r'https?://[^\s<>"\']+', eml_content)
    iocs.urls = list(set(urls))

    # Extract domains from URLs
    for url in iocs.urls:
        domain_match = re.search(r'https?://([^/:\s]+)', url)
        if domain_match:
            domain = domain_match.group(1).lower()
            if domain not in iocs.domains:
                iocs.domains.append(domain)

    # Extract IP addresses from headers
    ips = re.findall(r'\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b', eml_content)
    iocs.ip_addresses = list(set(ips))

    # Extract attachment filenames
    attachments = re.findall(
        r'filename[*]?=(?:"([^"]+)"|([^\s;]+))',
        eml_content, re.IGNORECASE
    )
    for groups in attachments:
        name = groups[0] or groups[1]
        if name and name not in iocs.attachment_names:
            iocs.attachment_names.append(name)

    return iocs


def triage_report(eml_content: str, simulation_subjects: list = None) -> TriageResult:
    """Classify a reported email."""
    result = TriageResult()
    iocs = extract_iocs(eml_content)
    result.iocs = asdict(iocs)

    score = 0
    body_lower = eml_content.lower()

    # Check if it's a known simulation
    if simulation_subjects:
        for sim_subj in simulation_subjects:
            if sim_subj.lower() in iocs.subject.lower():
                result.classification = "simulation"
                result.confidence = 0.95
                result.recommended_action = "Credit reporter in training platform"
                result.auto_actionable = True
                return result

    # Check phishing indicators
    for pattern, desc, weight in PHISHING_INDICATORS:
        if re.search(pattern, body_lower):
            result.indicators.append(desc)
            score += weight

    # Check for authentication failures
    auth_results = re.search(r'Authentication-Results:.*?(spf=fail|dkim=fail|dmarc=fail)',
                             eml_content, re.IGNORECASE | re.DOTALL)
    if auth_results:
        result.indicators.append(f"Authentication failure: {auth_results.group(1)}")
        score += 20

    # Check Reply-To mismatch
    if iocs.reply_to and iocs.sender_address:
        reply_domain = re.search(r'@([\w.-]+)', iocs.reply_to)
        sender_domain = re.search(r'@([\w.-]+)', iocs.sender_address)
        if reply_domain and sender_domain:
            if reply_domain.group(1) != sender_domain.group(1):
                result.indicators.append("Reply-To domain mismatch")
                score += 15

    # Check for suspicious attachment types
    risky_extensions = ['.exe', '.scr', '.bat', '.cmd', '.ps1', '.vbs',
                        '.js', '.wsf', '.hta', '.iso', '.img']
    for att in iocs.attachment_names:
        if any(att.lower().endswith(ext) for ext in risky_extensions):
            result.indicators.append(f"Risky attachment: {att}")
            score += 25

    # Classify
    if score >= 50:
        result.classification = "confirmed_phishing"
        result.confidence = min(score / 100, 0.95)
        result.recommended_action = "Retract from all inboxes, block sender domain"
        result.auto_actionable = True
    elif score >= 25:
        result.classification = "suspicious"
        result.confidence = score / 100
        result.recommended_action = "Escalate to SOC analyst for manual review"
        result.auto_actionable = False
    elif score >= 10:
        result.classification = "spam"
        result.confidence = 0.6
        result.recommended_action = "Move to junk for all recipients"
        result.auto_actionable = True
    else:
        result.classification = "clean"
        result.confidence = 0.7
        result.recommended_action = "Return to inbox, notify reporter"
        result.auto_actionable = True

    return result


def calculate_metrics(reports: list) -> ReportingMetrics:
    """Calculate phishing reporting program metrics."""
    metrics = ReportingMetrics()
    metrics.total_reports = len(reports)

    reporter_counts = Counter()
    triage_times = []

    for report in reports:
        classification = report.get("classification", "")
        if classification == "confirmed_phishing":
            metrics.confirmed_phishing += 1
        elif classification == "spam":
            metrics.confirmed_spam += 1
        elif classification == "simulation":
            metrics.simulation_reports += 1
        elif classification == "clean":
            metrics.false_positives += 1

        reporter = report.get("reporter", "")
        if reporter:
            reporter_counts[reporter] += 1

        triage_time = report.get("triage_time_minutes", 0)
        if triage_time > 0:
            triage_times.append(triage_time)

    if triage_times:
        metrics.mean_triage_time_min = sum(triage_times) / len(triage_times)

    metrics.top_reporters = [
        {"reporter": r, "count": c}
        for r, c in reporter_counts.most_common(10)
    ]

    if metrics.total_reports > 0:
        metrics.report_rate = (
            (metrics.confirmed_phishing + metrics.simulation_reports) /
            metrics.total_reports * 100
        )

    return metrics


def main():
    parser = argparse.ArgumentParser(description="Phishing Report Triage Engine")
    subparsers = parser.add_subparsers(dest="command")

    triage_parser = subparsers.add_parser("triage", help="Triage reported email")
    triage_parser.add_argument("--eml-file", required=True)
    triage_parser.add_argument("--sim-subjects", nargs="*", default=[])

    metrics_parser = subparsers.add_parser("metrics", help="Calculate reporting metrics")
    metrics_parser.add_argument("--reports-file", required=True)

    ioc_parser = subparsers.add_parser("extract-iocs", help="Extract IOCs from email")
    ioc_parser.add_argument("--eml-file", required=True)

    parser.add_argument("--json", action="store_true")
    args = parser.parse_args()

    if args.command == "triage":
        with open(args.eml_file, 'r', errors='replace') as f:
            content = f.read()
        result = triage_report(content, args.sim_subjects)
        if args.json:
            print(json.dumps(asdict(result), indent=2))
        else:
            print(f"Classification: {result.classification}")
            print(f"Confidence: {result.confidence:.0%}")
            print(f"Action: {result.recommended_action}")
            print(f"Auto-actionable: {'Yes' if result.auto_actionable else 'No'}")
            if result.indicators:
                print(f"Indicators:")
                for ind in result.indicators:
                    print(f"  - {ind}")

    elif args.command == "metrics":
        with open(args.reports_file) as f:
            reports = json.load(f)
        result = calculate_metrics(reports)
        if args.json:
            print(json.dumps(asdict(result), indent=2))
        else:
            print(f"Total reports: {result.total_reports}")
            print(f"Confirmed phishing: {result.confirmed_phishing}")
            print(f"Spam: {result.confirmed_spam}")
            print(f"Simulations reported: {result.simulation_reports}")
            print(f"False positives: {result.false_positives}")
            print(f"Mean triage time: {result.mean_triage_time_min:.1f} min")

    elif args.command == "extract-iocs":
        with open(args.eml_file, 'r', errors='replace') as f:
            content = f.read()
        iocs = extract_iocs(content)
        print(json.dumps(asdict(iocs), indent=2))

    else:
        parser.print_help()


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 0.9 KB
Keep exploring