curben
/
phishing-filter
mirror of https://gitlab.com/malware-filter/phishing-filter.git
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: reprocess decoded safelink 

- extend 1ea3ce51f5
- also include scope of 0578e6c16a
This commit is contained in:
MDLeom 2023-05-20 08:20:22 +00:00
parent 0578e6c16a
commit ca23363ef4
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/safelinks.js
View File

@ -2,4 +2,4 @@
// https://support.microsoft.com/en-us/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2
const inputUrl = new URL(`http://${process.argv[2]}`)
const outputUrl = new URL(inputUrl.searchParams.get('url'))
console.log(outputUrl.hostname)
console.log(`${outputUrl.host}${outputUrl.pathname}${outputUrl.search}`)

8
src/script.sh
View File

@ -219,7 +219,13 @@ while read URL; do
cut -f 1 -d ":" >> "phishing-subdomains.txt"
elif test "${URL#*safelinks.protection.outlook.com}" != "$URL"; then
## Parse hostname from O365 safelink
echo $(node "../src/safelinks.js" "$URL") >> "phishing-notop-domains-temp.txt"
SAFELINK=$(node "../src/safelinks.js" "$URL")
if grep -Fq "$SAFELINK" "top-1m-well-known.txt"; then
echo "$SAFELINK" >> "phishing-url-top-domains-temp.txt"
else
echo "$SAFELINK" | \
cut -d"/" -f1 >> "phishing-notop-domains-temp.txt"
fi
else
## Parse phishing URLs from popular domains
echo "$URL" | \