curben
/
phishing-filter
mirror of https://gitlab.com/malware-filter/phishing-filter
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: decode O365 safelink 

- https://support.microsoft.com/en-us/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2
This commit is contained in:
MDLeom 2022-12-04 03:53:09 +00:00
parent 5a4a8bb9bc
commit 1ea3ce51f5
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/safelinks.js Normal file
View File

@ -0,0 +1,5 @@
// Decode O365 Safelinks
// https://support.microsoft.com/en-us/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2
const inputUrl = new URL(`http://${process.argv[2]}`)
const outputUrl = new URL(inputUrl.searchParams.get('url'))
console.log(outputUrl.hostname)

5
src/script.sh
View File

@ -212,10 +212,13 @@ while read URL; do
HOST=$(echo "$URL" | cut -d"/" -f1)
URI=$(echo "$URL" | sed "s/^$HOST//")
## Separate host-only URL
if [ -z "$URI" ] || [ "$URI" = "/" ]; then
## Separate host-only URL
echo "$HOST" | \
cut -f 1 -d ":" >> "phishing-notop-domains-temp.txt"
elif test "${URL#*safelinks.protection.outlook.com}" != "$URL"; then
## Parse hostname from O365 safelink
echo $(node "../src/safelinks.js" "$URL") >> "phishing-notop-domains-temp.txt"
else
## Parse phishing URLs from popular domains
echo "$URL" | \