npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- A user reports receiving a suspicious email via the phishing report button or abuse mailbox
- Email gateway detects a malicious email that bypassed initial filtering
- Threat intelligence indicates an active phishing campaign targeting the organization
- A user confirms they clicked a link or opened an attachment from a suspicious email
- Credentials have been entered on a suspected phishing page
Do not use for business email compromise (BEC) involving compromised internal accounts; use BEC response procedures which focus on account takeover investigation.
Prerequisites
- Email security gateway with message trace and quarantine capabilities (Microsoft Defender for Office 365, Proofpoint, Mimecast)
- Microsoft 365 admin access or Google Workspace admin for mailbox search and purge
- Malware sandbox for attachment and URL analysis (ANY.RUN, Joe Sandbox, Hybrid Analysis)
- Email header analysis tools (MXToolbox Header Analyzer, Google Admin Toolbox)
- Identity provider access for account remediation (Azure AD, Okta, Duo)
- Phishing report intake process (dedicated mailbox or integrated report button)
Workflow
Step 1: Receive and Triage the Phishing Report
Evaluate the reported email to determine if it is malicious:
- Extract the email as an .EML or .MSG file (preserves headers)
- Analyze email headers to determine the true sender, relay path, and authentication results
Email Header Analysis Checklist:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Return-Path: billing@spoofed-domain[.]com
From: "IT Support" <support@corp-lookalike[.]com>
Reply-To: attacker@gmail[.]com (different from From)
SPF: FAIL (sender IP not authorized for domain)
DKIM: FAIL (signature invalid)
DMARC: FAIL (policy: none - no enforcement)
Received: from mail.attacker-infra[.]net [45.33.x.x]
X-Originating-IP: 45.33.x.x
Message-ID: <random@attacker-infra.net>Classification criteria:
- Confirmed Phishing: Malicious URL/attachment, spoofed sender, credential harvesting page
- Suspicious: Anomalous headers but no confirmed malicious content
- Spam/Marketing: Unwanted but not malicious
- Legitimate: Not a phishing email (false report)
Step 2: Analyze Malicious Content
Examine URLs and attachments in a safe environment:
URL Analysis:
- Check URL against VirusTotal, URLscan.io, and Google Safe Browsing
- Open URL in a sandbox browser to capture the landing page
- Check if the URL redirects to a credential harvesting page
- Identify the phishing kit type (Microsoft 365 login clone, Okta clone, generic)
- Determine if the phishing page is still active
Attachment Analysis:
- Calculate file hash (SHA-256) and check against VirusTotal
- Detonate in sandbox (ANY.RUN, Joe Sandbox)
- Analyze document for macros (olevba for Office files)
- Check for embedded exploits (CVE exploitation in document parsers)
Step 3: Determine Scope of Impact
Identify all recipients and assess who interacted with the phishing email:
Scope Assessment:
━━━━━━━━━━━━━━━━
Total Recipients: 47 users
Delivered to Inbox: 38 users (9 caught by email gateway)
Opened Email: 24 users (email tracking pixel data)
Clicked Link: 8 users (proxy/firewall logs)
Entered Credentials: 3 users (phishing page submitted form data)
Opened Attachment: 2 users (EDR process execution telemetry)Search methods:
- Microsoft 365: Use Threat Explorer or Content Search to find all instances of the email
- Google Workspace: Use Admin Console > Investigation tool for message search
- Proxy logs: Search for connections to the phishing URL from internal IPs
- EDR: Search for attachment file hash execution across all endpoints
Step 4: Contain the Threat
Execute containment actions based on impact assessment:
Email Containment:
- Purge the phishing email from all mailboxes using Microsoft 365 Content Search and Purge or Google Workspace Admin delete
- Block the sender domain at the email gateway
- Add the phishing URL to the web proxy blocklist
- Add attachment hash to email gateway and EDR blocklists
Account Containment (for users who entered credentials):
- Force password reset immediately
- Revoke all active sessions and OAuth tokens
- Enable or re-verify MFA enrollment
- Review mailbox rules for attacker-created forwarding rules
- Check for unauthorized OAuth application grants
- Review recent sign-in activity for suspicious locations
# Microsoft 365: Revoke sessions and reset password
Connect-AzureAD
Revoke-AzureADUserAllRefreshToken -ObjectId "user@corp.com"
Set-AzureADUserPassword -ObjectId "user@corp.com" -ForceChangePasswordNextLogin $true
# Check for mailbox forwarding rules
Get-InboxRule -Mailbox "user@corp.com" | Where-Object {$_.ForwardTo -or $_.RedirectTo}
# Remove suspicious forwarding rules
Remove-InboxRule -Mailbox "user@corp.com" -Identity "Rule Name"Step 5: Eradicate and Recover
Remove all traces of the phishing attack:
- Confirm email purge completed successfully across all mailboxes
- Verify compromised accounts have been secured (password changed, sessions revoked, MFA verified)
- Remove any malware installed via phishing attachments from affected endpoints
- Monitor compromised accounts for 72 hours for signs of continued unauthorized access
- Check for data exfiltration from compromised accounts during the exposure window
Step 6: Post-Incident Actions
Strengthen defenses against similar phishing attacks:
- Report the phishing URL to Google Safe Browsing and Microsoft SmartScreen
- Submit the phishing domain for takedown via the domain registrar abuse contact
- Update email gateway filtering rules based on observed evasion techniques
- Send targeted security awareness notification to affected users
- Update phishing simulation program to include the observed technique
Key Concepts
| Term | Definition |
|---|---|
| Spear Phishing | Targeted phishing attack crafted for a specific individual or organization using personalized content |
| Credential Harvesting | Phishing technique that mimics a legitimate login page to capture usernames and passwords |
| SPF (Sender Policy Framework) | Email authentication protocol that specifies which mail servers are authorized to send email for a domain |
| DKIM (DomainKeys Identified Mail) | Email authentication method using cryptographic signatures to verify that an email was not altered in transit |
| DMARC | Policy framework that uses SPF and DKIM to determine email authenticity and instructs receivers on handling failures |
| OAuth Consent Phishing | Attack that tricks users into granting malicious OAuth applications access to their email and data |
| Email Header | Metadata embedded in every email containing routing, authentication, and sender information used for forensic analysis |
Tools & Systems
- Microsoft Defender for Office 365: Email threat protection with Threat Explorer for investigation and automated purge
- Proofpoint TAP (Targeted Attack Protection): Email security platform with URL rewriting and attachment sandboxing
- URLscan.io: Online service that scans URLs and captures screenshots of phishing pages for evidence
- PhishTool: Phishing analysis platform that automates header analysis, URL inspection, and IOC extraction
- GoPhish: Open-source phishing simulation platform for security awareness testing
Common Scenarios
Scenario: Microsoft 365 Credential Phishing via QR Code
Context: Users report an email claiming to be from IT requiring MFA re-enrollment. The email contains a QR code that links to a convincing Microsoft 365 login page clone hosted on a compromised WordPress site.
Approach:
- Scan the QR code in a sandbox to extract the URL
- Analyze the phishing page: captures credentials and MFA tokens (adversary-in-the-middle attack)
- Search email gateway for all recipients using message subject and sender as search criteria
- Cross-reference with proxy logs to identify users who visited the phishing URL
- Force password reset and revoke sessions for all users who visited the URL
- Purge the email from all mailboxes and block the sender domain
- Notify users about the specific campaign with visual examples of the phishing email
Pitfalls:
- Not checking for adversary-in-the-middle (AiTM) capability that captures session tokens even with MFA
- Only resetting passwords without revoking active sessions (attacker retains access via stolen session cookies)
- Not searching for mailbox forwarding rules created by the attacker after compromising an account
- Missing QR code phishing (quishing) because URL scanning tools cannot decode QR code images
Output Format
PHISHING INCIDENT RESPONSE REPORT
===================================
Incident: INC-2025-1602
Date Reported: 2025-11-16T09:15:00Z
Reported By: jdoe@corp.example.com
Classification: Credential Phishing (AiTM)
EMAIL ANALYSIS
Subject: "Action Required: MFA Re-enrollment"
Sender: it-support@corp-security[.]com (spoofed)
SPF: FAIL | DKIM: FAIL | DMARC: FAIL
Phishing URL: hxxps://compromised-site[.]com/ms365/login
Phishing Type: Microsoft 365 AiTM credential harvester
IMPACT ASSESSMENT
Recipients: 47
Clicked Link: 8
Credentials Entered: 3 (confirmed via proxy POST data)
CONTAINMENT ACTIONS
[x] Email purged from all 47 mailboxes
[x] Phishing domain blocked at web proxy
[x] Sender domain blocked at email gateway
[x] 3 compromised accounts: passwords reset, sessions revoked
[x] Mailbox forwarding rules reviewed (1 malicious rule removed)
[x] OAuth app grants reviewed (no unauthorized grants found)
IOCs EXTRACTED
Domain: corp-security[.]com
URL: hxxps://compromised-site[.]com/ms365/login
IP: 104.21.x.x (Cloudflare-hosted)
Sender: it-support@corp-security[.]com
RECOMMENDATIONS
1. Implement DMARC enforcement (p=reject) for corp domain
2. Deploy QR code scanning in email gateway
3. Send targeted awareness notification to all 47 recipients
4. Request domain takedown via registrar abuse contactReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.0 KB
API Reference: Phishing Incident Response Agent
Overview
Analyzes phishing emails: parses EML files, extracts URLs and attachment hashes, checks reputation via VirusTotal and urlscan.io, assesses SPF/DKIM/DMARC authentication, and generates severity-rated IR reports.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| requests | >=2.28 | VirusTotal and urlscan.io API calls |
CLI Usage
python agent.py --eml suspicious_email.eml --vt-key <key> --output report.jsonKey Functions
parse_email_file(eml_path)
Parses EML file extracting Subject, From, To, Received headers, and SPF/DKIM/DMARC authentication results.
extract_urls(msg)
Extracts all URLs from email body (plain text and HTML parts) using regex.
extract_attachments(msg)
Extracts attachment filenames, content types, sizes, and computes SHA-256/MD5 hashes.
check_url_virustotal(url, api_key)
Checks URL reputation on VirusTotal v3 API (malicious, suspicious, harmless counts).
check_url_urlscan(url)
Submits URL to urlscan.io for visual and behavioral analysis.
check_hash_virustotal(file_hash, api_key)
Checks attachment hash reputation on VirusTotal for malware detection.
assess_phishing_severity(parsed_email, url_results, attachment_results)
Rates phishing severity (Low/Medium/Critical) based on auth failures and malicious content.
External APIs Used
| API | Endpoint | Auth | Purpose |
|---|---|---|---|
| VirusTotal v3 | /api/v3/urls/{id} |
API key | URL reputation |
| VirusTotal v3 | /api/v3/files/{hash} |
API key | File hash reputation |
| urlscan.io | /api/v1/scan/ |
None | URL visual analysis |
Email Authentication Checks
| Check | Pass | Fail | Impact |
|---|---|---|---|
| SPF | Sender IP authorized | Possible spoofing | Severity +1 |
| DKIM | Signature valid | Message may be tampered | Severity +1 |
| DMARC | Policy enforced | SPF+DKIM alignment failed | Severity +1 |
Scripts 1
agent.py7.2 KB
#!/usr/bin/env python3
"""Phishing Incident Response Agent - Analyzes phishing emails and automates response actions."""
import json
import re
import email
import hashlib
import logging
import argparse
from email import policy
from datetime import datetime
import requests
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def parse_email_file(eml_path):
"""Parse an EML file and extract header and body information."""
with open(eml_path, "rb") as f:
msg = email.message_from_binary_file(f, policy=policy.default)
parsed = {
"subject": msg["Subject"],
"from": msg["From"],
"to": msg["To"],
"date": msg["Date"],
"message_id": msg["Message-ID"],
"return_path": msg["Return-Path"],
"reply_to": msg["Reply-To"],
"received_headers": msg.get_all("Received", []),
"authentication_results": msg.get("Authentication-Results", ""),
"spf": "",
"dkim": "",
"dmarc": "",
}
auth_results = parsed["authentication_results"]
if "spf=pass" in auth_results:
parsed["spf"] = "pass"
elif "spf=fail" in auth_results:
parsed["spf"] = "fail"
if "dkim=pass" in auth_results:
parsed["dkim"] = "pass"
elif "dkim=fail" in auth_results:
parsed["dkim"] = "fail"
if "dmarc=pass" in auth_results:
parsed["dmarc"] = "pass"
elif "dmarc=fail" in auth_results:
parsed["dmarc"] = "fail"
logger.info("Parsed email: Subject='%s' From='%s'", parsed["subject"], parsed["from"])
return parsed, msg
def extract_urls(msg):
"""Extract all URLs from email body."""
body = ""
if msg.is_multipart():
for part in msg.walk():
if part.get_content_type() in ("text/plain", "text/html"):
body += part.get_content()
else:
body = msg.get_content()
urls = re.findall(r'https?://[^\s"\'<>]+', body)
unique_urls = list(set(urls))
logger.info("Extracted %d unique URLs", len(unique_urls))
return unique_urls
def extract_attachments(msg):
"""Extract and hash email attachments."""
attachments = []
for part in msg.walk():
if part.get_content_disposition() == "attachment":
filename = part.get_filename()
content = part.get_payload(decode=True)
if content:
sha256 = hashlib.sha256(content).hexdigest()
md5 = hashlib.md5(content).hexdigest()
attachments.append({
"filename": filename,
"content_type": part.get_content_type(),
"size": len(content),
"sha256": sha256,
"md5": md5,
})
logger.info("Attachment: %s (SHA256: %s)", filename, sha256[:16])
return attachments
def check_url_virustotal(url, api_key):
"""Check URL reputation on VirusTotal."""
import base64
url_id = base64.urlsafe_b64encode(url.encode()).decode().strip("=")
vt_url = f"https://www.virustotal.com/api/v3/urls/{url_id}"
headers = {"x-apikey": api_key}
resp = requests.get(vt_url, headers=headers, timeout=30)
if resp.status_code == 200:
stats = resp.json()["data"]["attributes"]["last_analysis_stats"]
return {
"url": url,
"malicious": stats.get("malicious", 0),
"suspicious": stats.get("suspicious", 0),
"harmless": stats.get("harmless", 0),
}
return {"url": url, "error": resp.status_code}
def check_url_urlscan(url):
"""Submit URL to urlscan.io for analysis."""
resp = requests.post(
"https://urlscan.io/api/v1/scan/",
json={"url": url, "visibility": "private"},
headers={"Content-Type": "application/json"},
timeout=30,
)
if resp.status_code == 200:
return resp.json()
return {"url": url, "error": resp.status_code}
def check_hash_virustotal(file_hash, api_key):
"""Check file hash reputation on VirusTotal."""
url = f"https://www.virustotal.com/api/v3/files/{file_hash}"
headers = {"x-apikey": api_key}
resp = requests.get(url, headers=headers, timeout=30)
if resp.status_code == 200:
attrs = resp.json()["data"]["attributes"]
return {
"hash": file_hash,
"malicious": attrs["last_analysis_stats"].get("malicious", 0),
"threat_name": attrs.get("popular_threat_classification", {}).get("suggested_threat_label", ""),
}
return {"hash": file_hash, "status": "not_found"}
def assess_phishing_severity(parsed_email, url_results, attachment_results):
"""Assess overall severity of the phishing email."""
severity = "Low"
indicators = []
if parsed_email.get("spf") == "fail":
indicators.append("SPF failed")
severity = "Medium"
if parsed_email.get("dkim") == "fail":
indicators.append("DKIM failed")
severity = "Medium"
if parsed_email.get("dmarc") == "fail":
indicators.append("DMARC failed")
severity = "Medium"
for url_result in url_results:
if url_result.get("malicious", 0) > 0:
indicators.append(f"Malicious URL: {url_result['url'][:50]}")
severity = "Critical"
for att_result in attachment_results:
if att_result.get("malicious", 0) > 0:
indicators.append(f"Malicious attachment: {att_result['hash'][:16]}")
severity = "Critical"
return {"severity": severity, "indicators": indicators}
def generate_phishing_report(parsed_email, urls, attachments, url_results, att_results, assessment):
"""Generate phishing incident response report."""
report = {
"timestamp": datetime.utcnow().isoformat(),
"email_headers": parsed_email,
"urls_found": urls,
"attachments": attachments,
"url_analysis": url_results,
"attachment_analysis": att_results,
"severity_assessment": assessment,
}
print(f"PHISHING IR REPORT - Severity: {assessment['severity']}")
print(f"URLs: {len(urls)}, Attachments: {len(attachments)}, Indicators: {len(assessment['indicators'])}")
return report
def main():
parser = argparse.ArgumentParser(description="Phishing Incident Response Agent")
parser.add_argument("--eml", required=True, help="Path to EML file")
parser.add_argument("--vt-key", help="VirusTotal API key")
parser.add_argument("--output", default="phishing_ir_report.json")
args = parser.parse_args()
parsed, msg = parse_email_file(args.eml)
urls = extract_urls(msg)
attachments = extract_attachments(msg)
url_results = []
if args.vt_key:
for url in urls[:10]:
url_results.append(check_url_virustotal(url, args.vt_key))
att_results = []
if args.vt_key:
for att in attachments:
att_results.append(check_hash_virustotal(att["sha256"], args.vt_key))
assessment = assess_phishing_severity(parsed, url_results, att_results)
report = generate_phishing_report(parsed, urls, attachments, url_results, att_results, assessment)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()