npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
Use this skill when:
- A user reports a suspicious email via the phishing report button or helpdesk ticket
- Email security gateway flags a message that bypassed initial filters
- Automated detection identifies credential harvesting URLs or malicious attachments
- A phishing campaign targeting the organization requires scope assessment
Do not use for spam or marketing emails without malicious intent — route those to email administration for filter tuning.
Prerequisites
- Access to email gateway logs (Proofpoint, Mimecast, or Microsoft Defender for Office 365)
- Splunk or SIEM with email log ingestion (O365 Message Trace, Exchange tracking logs)
- Sandbox access (Any.Run, Joe Sandbox, or Hybrid Analysis) for URL/attachment detonation
- Microsoft Graph API or Exchange Admin Center for email search and purge operations
- URLScan.io and VirusTotal API keys
Workflow
Step 1: Extract and Analyze Email Headers
Obtain the full email headers (.eml file) from the reported message:
import email
from email import policy
with open("phishing_sample.eml", "rb") as f:
msg = email.message_from_binary_file(f, policy=policy.default)
# Extract key headers
print(f"From: {msg['From']}")
print(f"Return-Path: {msg['Return-Path']}")
print(f"Reply-To: {msg['Reply-To']}")
print(f"Subject: {msg['Subject']}")
print(f"Message-ID: {msg['Message-ID']}")
print(f"X-Originating-IP: {msg['X-Originating-IP']}")
# Parse Received headers (bottom-up for true origin)
for header in reversed(msg.get_all('Received', [])):
print(f"Received: {header[:120]}")
# Check authentication results
print(f"Authentication-Results: {msg['Authentication-Results']}")
print(f"DKIM-Signature: {msg.get('DKIM-Signature', 'NONE')[:80]}")Key checks:
- SPF: Does
Return-Pathdomain match sending IP? Look forspf=passorspf=fail - DKIM: Is the signature valid?
dkim=passconfirms the email was not modified in transit - DMARC: Does the
Fromdomain align with SPF/DKIM domains?dmarc=failindicates spoofing
Step 2: Analyze URLs and Attachments
URL Analysis:
import requests
# Submit URL to URLScan.io
url_to_scan = "https://evil-login.example.com/office365"
response = requests.post(
"https://urlscan.io/api/v1/scan/",
headers={"API-Key": "YOUR_KEY", "Content-Type": "application/json"},
json={"url": url_to_scan, "visibility": "unlisted"}
)
scan_id = response.json()["uuid"]
print(f"Scan URL: https://urlscan.io/result/{scan_id}/")
# Check VirusTotal for URL reputation
import vt
client = vt.Client("YOUR_VT_API_KEY")
url_id = vt.url_id(url_to_scan)
url_obj = client.get_object(f"/urls/{url_id}")
print(f"VT Score: {url_obj.last_analysis_stats}")
client.close()Attachment Analysis:
import hashlib
# Calculate file hashes
with open("attachment.docx", "rb") as f:
content = f.read()
md5 = hashlib.md5(content).hexdigest()
sha256 = hashlib.sha256(content).hexdigest()
print(f"MD5: {md5}")
print(f"SHA256: {sha256}")
# Submit to MalwareBazaar for lookup
response = requests.post(
"https://mb-api.abuse.ch/api/v1/",
data={"query": "get_info", "hash": sha256}
)
print(response.json()["query_status"])Submit to sandbox (Any.Run or Joe Sandbox) for dynamic analysis of macros, PowerShell execution, and C2 callbacks.
Step 3: Determine Campaign Scope
Search for all recipients of the same phishing email in Splunk:
index=email sourcetype="o365:messageTrace"
(SenderAddress="attacker@evil-domain.com" OR Subject="Urgent: Password Reset Required"
OR MessageId="<phishing-message-id@evil.com>")
earliest=-7d
| stats count by RecipientAddress, DeliveryStatus, MessageTraceId
| sort - countAlternatively, use Microsoft Graph API:
import requests
headers = {"Authorization": f"Bearer {access_token}"}
params = {
"$filter": f"subject eq 'Urgent: Password Reset Required' and "
f"receivedDateTime ge 2024-03-14T00:00:00Z",
"$select": "sender,toRecipients,subject,receivedDateTime",
"$top": 100
}
response = requests.get(
"https://graph.microsoft.com/v1.0/users/admin@company.com/messages",
headers=headers, params=params
)
messages = response.json()["value"]
print(f"Found {len(messages)} matching messages")Step 4: Identify Impacted Users (Who Clicked)
Check proxy/web logs for users who visited the phishing URL:
index=proxy dest="evil-login.example.com" earliest=-7d
| stats count, values(action) AS actions, latest(_time) AS last_access
by src_ip, user
| lookup asset_lookup_by_cidr ip AS src_ip OUTPUT owner, category
| sort - count
| table user, src_ip, owner, actions, count, last_accessCheck if credentials were submitted (POST requests to phishing domain):
index=proxy dest="evil-login.example.com" http_method=POST earliest=-7d
| stats count by src_ip, user, url, statusStep 5: Containment Actions
Purge emails from all mailboxes:
# Microsoft 365 Compliance Search and Purge
New-ComplianceSearch -Name "Phishing_Purge_2024_0315" `
-ExchangeLocation All `
-ContentMatchQuery '(From:attacker@evil-domain.com) AND (Subject:"Urgent: Password Reset Required")'
Start-ComplianceSearch -Identity "Phishing_Purge_2024_0315"
# After search completes, execute purge
New-ComplianceSearchAction -SearchName "Phishing_Purge_2024_0315" -Purge -PurgeType SoftDeleteBlock indicators:
- Add sender domain to email gateway block list
- Add phishing URL domain to web proxy block list
- Add attachment hash to endpoint detection block list
- Create DNS sinkhole entry for phishing domain
Reset compromised credentials:
# Force password reset for impacted users
$impactedUsers = @("user1@company.com", "user2@company.com")
foreach ($user in $impactedUsers) {
Set-MsolUserPassword -UserPrincipalName $user -ForceChangePassword $true
Revoke-AzureADUserAllRefreshToken -ObjectId (Get-AzureADUser -ObjectId $user).ObjectId
}Step 6: Document and Report
Create incident report with full timeline, IOCs, impacted users, and remediation actions taken.
| makeresults
| eval incident_id="PHI-2024-0315",
reported_time="2024-03-15 09:12:00",
sender="attacker@evil-domain[.]com",
subject="Urgent: Password Reset Required",
url="hxxps://evil-login[.]example[.]com/office365",
recipients_count=47,
clicked_count=5,
credentials_submitted=2,
emails_purged=47,
passwords_reset=2,
domains_blocked=1,
disposition="True Positive - Credential Phishing Campaign"
| table incident_id, reported_time, sender, subject, url, recipients_count,
clicked_count, credentials_submitted, emails_purged, passwords_reset, dispositionKey Concepts
| Term | Definition |
|---|---|
| SPF (Sender Policy Framework) | DNS TXT record specifying which mail servers are authorized to send on behalf of a domain |
| DKIM | DomainKeys Identified Mail — cryptographic signature proving email content was not altered in transit |
| DMARC | Domain-based Message Authentication, Reporting and Conformance — policy combining SPF and DKIM alignment |
| Credential Harvesting | Phishing technique using fake login pages to capture username/password combinations |
| Business Email Compromise (BEC) | Social engineering attack using compromised or spoofed executive email for financial fraud |
| Message Trace | O365/Exchange log showing email routing, delivery status, and filtering actions for forensic analysis |
Tools & Systems
- Microsoft Defender for Office 365: Email security platform with Safe Links, Safe Attachments, and Threat Explorer for investigation
- URLScan.io: Free URL analysis service capturing screenshots, DOM, cookies, and network requests
- Any.Run: Interactive sandbox for detonating malicious files and URLs with real-time behavior analysis
- Proofpoint TAP: Targeted Attack Protection dashboard showing clicked URLs and delivered threats per user
- PhishTool: Dedicated phishing email analysis platform automating header parsing and IOC extraction
Common Scenarios
- Credential Phishing: Fake O365 login page — check proxy for POST requests, force password resets for submitters
- Macro-Enabled Document: Word doc with VBA macro — sandbox shows PowerShell download cradle, check endpoints for execution
- QR Code Phishing (Quishing): Email contains QR code linking to credential harvester — decode QR, submit URL to sandbox
- Thread Hijacking: Attacker uses compromised mailbox to reply in existing threads — check for impossible travel or new inbox rules
- Voicemail Phishing: Fake voicemail notification with HTML attachment — analyze attachment for redirect chains
Output Format
PHISHING INCIDENT REPORT — PHI-2024-0315
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Reported: 2024-03-15 09:12 UTC by jsmith (Finance)
Sender: attacker@evil-domain[.]com (SPF: FAIL, DKIM: NONE, DMARC: FAIL)
Subject: Urgent: Password Reset Required
Payload: Credential harvesting URL
IOCs:
URL: hxxps://evil-login[.]example[.]com/office365
Domain: evil-login[.]example[.]com (registered 2024-03-14, Namecheap)
IP: 185.234.xx.xx (VT: 12/90 malicious)
Scope:
Recipients: 47 users across Finance and HR departments
Clicked: 5 users visited phishing URL
Submitted: 2 users entered credentials (confirmed via POST in proxy logs)
Containment:
[DONE] 47 emails purged via Compliance Search
[DONE] Domain blocked on proxy and DNS sinkhole
[DONE] 2 user passwords reset, sessions revoked
[DONE] MFA enforced for both compromised accounts
[DONE] Inbox rules audited — no forwarding rules found
Status: RESOLVED — No evidence of lateral movement post-compromiseReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.5 KB
API Reference: Investigating Phishing Email Incident
URLScan.io API
| Endpoint | Method | Description |
|---|---|---|
/api/v1/scan/ |
POST | Submit URL for scanning (returns task UUID) |
/api/v1/result/{uuid}/ |
GET | Retrieve scan results including screenshot and DOM |
/api/v1/search/?q=domain:example.com |
GET | Search for previous scans of a domain |
VirusTotal API v3
| Endpoint | Method | Description |
|---|---|---|
/api/v3/urls |
POST | Submit URL for analysis |
/api/v3/analyses/{id} |
GET | Get URL analysis results with engine verdicts |
/api/v3/files/{hash} |
GET | Look up file hash (MD5/SHA-256) for reputation |
/api/v3/files |
POST | Upload file for scanning |
MalwareBazaar API
| Endpoint | Method | Description |
|---|---|---|
https://mb-api.abuse.ch/api/v1/ |
POST | Query by hash, tag, or signature name |
Microsoft Graph (Email Operations)
| Endpoint | Method | Description |
|---|---|---|
/v1.0/users/{id}/messages |
GET | Search mailbox for phishing message copies |
/security/alerts_v2 |
GET | Retrieve Defender for O365 phishing alerts |
/security/incidents/{id} |
GET | Get incident details with affected entities |
Exchange Online (Compliance Search)
| Cmdlet | Description |
|---|---|
New-ComplianceSearch |
Create search across all mailboxes by subject/sender |
Start-ComplianceSearch |
Execute the compliance search |
New-ComplianceSearchAction -Purge |
Purge matched emails (SoftDelete or HardDelete) |
Key Libraries
- requests: HTTP client for URLScan.io, VirusTotal, and MalwareBazaar APIs
- email (stdlib): Parse .eml files and extract headers, body, and attachments
- hashlib (stdlib): Calculate MD5/SHA-256 hashes for attachment analysis
- vt-py: Official VirusTotal Python SDK for enrichment queries
Configuration
| Variable | Description |
|---|---|
VT_API_KEY |
VirusTotal API key for URL and file hash lookups |
URLSCAN_API_KEY |
URLScan.io API key for URL submission |
GRAPH_ACCESS_TOKEN |
Microsoft Graph bearer token for email search |
References
Scripts 1
agent.py7.5 KB
#!/usr/bin/env python3
"""
Phishing Email Investigation Agent
Analyzes reported phishing emails by parsing headers, checking URL/attachment
reputation via VirusTotal and URLScan.io, and identifying impacted recipients.
"""
import email
import email.policy
import hashlib
import json
import re
import sys
import time
from datetime import datetime, timezone
import requests
VT_API_KEY = "" # Set via environment or config
URLSCAN_API_KEY = "" # Set via environment or config
def parse_email_headers(eml_path: str) -> dict:
"""Parse an .eml file and extract investigation-relevant headers."""
with open(eml_path, "rb") as f:
msg = email.message_from_binary_file(f, policy=email.policy.default)
auth_results = msg.get("Authentication-Results", "")
spf_match = re.search(r"spf=(\w+)", auth_results)
dkim_match = re.search(r"dkim=(\w+)", auth_results)
dmarc_match = re.search(r"dmarc=(\w+)", auth_results)
received_chain = []
for hdr in reversed(msg.get_all("Received", [])):
received_chain.append(hdr.strip()[:200])
return {
"from": msg["From"],
"return_path": msg.get("Return-Path", ""),
"reply_to": msg.get("Reply-To", ""),
"subject": msg["Subject"],
"message_id": msg["Message-ID"],
"date": msg["Date"],
"x_originating_ip": msg.get("X-Originating-IP", ""),
"spf": spf_match.group(1) if spf_match else "not found",
"dkim": dkim_match.group(1) if dkim_match else "not found",
"dmarc": dmarc_match.group(1) if dmarc_match else "not found",
"received_chain": received_chain,
}
def extract_urls_from_email(eml_path: str) -> list[str]:
"""Extract all URLs from email body."""
with open(eml_path, "rb") as f:
msg = email.message_from_binary_file(f, policy=email.policy.default)
body = ""
if msg.is_multipart():
for part in msg.walk():
ctype = part.get_content_type()
if ctype in ("text/plain", "text/html"):
payload = part.get_payload(decode=True)
if payload:
body += payload.decode("utf-8", errors="ignore")
else:
payload = msg.get_payload(decode=True)
if payload:
body = payload.decode("utf-8", errors="ignore")
url_pattern = re.compile(r'https?://[^\s<>"\')\]]+')
return list(set(url_pattern.findall(body)))
def check_url_urlscan(url: str, api_key: str) -> dict:
"""Submit URL to URLScan.io for analysis."""
if not api_key:
return {"error": "URLSCAN_API_KEY not set"}
resp = requests.post(
"https://urlscan.io/api/v1/scan/",
headers={"API-Key": api_key, "Content-Type": "application/json"},
json={"url": url, "visibility": "unlisted"},
timeout=30,
)
if resp.status_code == 200:
data = resp.json()
return {"uuid": data.get("uuid", ""), "result_url": data.get("result", "")}
return {"error": f"URLScan returned {resp.status_code}: {resp.text[:200]}"}
def check_url_virustotal(url: str, api_key: str) -> dict:
"""Check URL reputation on VirusTotal."""
if not api_key:
return {"error": "VT_API_KEY not set"}
resp = requests.post(
"https://www.virustotal.com/api/v3/urls",
headers={"x-apikey": api_key},
data={"url": url},
timeout=30,
)
if resp.status_code == 200:
analysis_id = resp.json().get("data", {}).get("id", "")
time.sleep(15)
result = requests.get(
f"https://www.virustotal.com/api/v3/analyses/{analysis_id}",
headers={"x-apikey": api_key},
timeout=30,
)
if result.status_code == 200:
stats = result.json().get("data", {}).get("attributes", {}).get("stats", {})
return {"malicious": stats.get("malicious", 0), "suspicious": stats.get("suspicious", 0),
"harmless": stats.get("harmless", 0), "undetected": stats.get("undetected", 0)}
return {"error": f"VT returned {resp.status_code}"}
def hash_attachment(filepath: str) -> dict:
"""Calculate MD5 and SHA-256 hashes for an attachment."""
with open(filepath, "rb") as f:
content = f.read()
return {
"filename": filepath,
"size_bytes": len(content),
"md5": hashlib.md5(content).hexdigest(),
"sha256": hashlib.sha256(content).hexdigest(),
}
def check_hash_virustotal(file_hash: str, api_key: str) -> dict:
"""Look up file hash on VirusTotal."""
if not api_key:
return {"error": "VT_API_KEY not set"}
resp = requests.get(
f"https://www.virustotal.com/api/v3/files/{file_hash}",
headers={"x-apikey": api_key},
timeout=30,
)
if resp.status_code == 200:
attrs = resp.json().get("data", {}).get("attributes", {})
stats = attrs.get("last_analysis_stats", {})
return {
"detection_name": attrs.get("popular_threat_classification", {}).get("suggested_threat_label", "unknown"),
"malicious": stats.get("malicious", 0),
"total_engines": sum(stats.values()),
}
return {"error": f"Hash not found or VT error: {resp.status_code}"}
def generate_ioc_list(headers: dict, urls: list[str], attachments: list[dict]) -> dict:
"""Compile indicators of compromise from the investigation."""
iocs = {"domains": set(), "ips": set(), "urls": urls, "hashes": []}
for url in urls:
domain_match = re.search(r"https?://([^/]+)", url)
if domain_match:
iocs["domains"].add(domain_match.group(1))
if headers.get("x_originating_ip"):
iocs["ips"].add(headers["x_originating_ip"].strip("[]"))
for att in attachments:
iocs["hashes"].append({"md5": att["md5"], "sha256": att["sha256"]})
iocs["domains"] = sorted(iocs["domains"])
iocs["ips"] = sorted(iocs["ips"])
return iocs
def generate_report(headers: dict, urls: list[str], iocs: dict) -> str:
"""Generate phishing investigation report."""
lines = [
f"PHISHING INCIDENT REPORT",
"=" * 50,
f"Report Generated: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
"",
f"From: {headers['from']}",
f"Return-Path: {headers['return_path']}",
f"Subject: {headers['subject']}",
f"SPF: {headers['spf']} DKIM: {headers['dkim']} DMARC: {headers['dmarc']}",
"",
f"URLs Found: {len(urls)}",
]
for u in urls[:10]:
lines.append(f" - {u}")
lines.extend(["", f"IOC Domains: {', '.join(iocs['domains'])}",
f"IOC IPs: {', '.join(iocs['ips'])}",
f"IOC Hashes: {len(iocs['hashes'])}"])
return "\n".join(lines)
if __name__ == "__main__":
import os
VT_API_KEY = os.getenv("VT_API_KEY", VT_API_KEY)
URLSCAN_API_KEY = os.getenv("URLSCAN_API_KEY", URLSCAN_API_KEY)
eml_path = sys.argv[1] if len(sys.argv) > 1 else "phishing_sample.eml"
print(f"[*] Analyzing phishing email: {eml_path}")
headers = parse_email_headers(eml_path)
urls = extract_urls_from_email(eml_path)
print(f"[*] Found {len(urls)} URLs in email body")
for url in urls[:5]:
if URLSCAN_API_KEY:
result = check_url_urlscan(url, URLSCAN_API_KEY)
print(f" URLScan: {result}")
iocs = generate_ioc_list(headers, urls, [])
report = generate_report(headers, urls, iocs)
print(report)
output = f"phishing_report_{datetime.now(timezone.utc).strftime('%Y%m%d_%H%M%S')}.json"
with open(output, "w") as f:
json.dump({"headers": headers, "urls": urls, "iocs": iocs}, f, indent=2)
print(f"\n[*] Results saved to {output}")