From 1ea3ce51f5168b0a2789ba85551baccd35e61d5f Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 4 Dec 2022 03:53:09 +0000
Subject: [PATCH] feat: decode O365 safelink

- https://support.microsoft.com/en-us/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2
---
 src/safelinks.js | 5 +++++
 src/script.sh    | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 src/safelinks.js

diff --git a/src/safelinks.js b/src/safelinks.js
new file mode 100644
index 00000000..d33689b7
--- /dev/null
+++ b/src/safelinks.js
@@ -0,0 +1,5 @@
+// Decode O365 Safelinks
+// https://support.microsoft.com/en-us/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2
+const inputUrl = new URL(`http://${process.argv[2]}`)
+const outputUrl = new URL(inputUrl.searchParams.get('url'))
+console.log(outputUrl.hostname)
diff --git a/src/script.sh b/src/script.sh
index bb458b48..d51b2a77 100644
--- a/src/script.sh
+++ b/src/script.sh
@@ -212,10 +212,13 @@ while read URL; do
   HOST=$(echo "$URL" | cut -d"/" -f1)
   URI=$(echo "$URL" | sed "s/^$HOST//")
 
-  ## Separate host-only URL
   if [ -z "$URI" ] || [ "$URI" = "/" ]; then
+    ## Separate host-only URL
     echo "$HOST" | \
     cut -f 1 -d ":" >> "phishing-notop-domains-temp.txt"
+  elif test "${URL#*safelinks.protection.outlook.com}" != "$URL"; then
+    ## Parse hostname from O365 safelink
+    echo $(node "../src/safelinks.js" "$URL") >> "phishing-notop-domains-temp.txt"
   else
     ## Parse phishing URLs from popular domains
     echo "$URL" | \