- Sanitise URL's to be safe to send in emails
- Perform reverse DNS and DNS lookups
- Perform reputation checks from:
- Check if an IP address is a TOR exit node
- Decode Proofpoint URL's, UTF-8 encoded URLS, Office SafeLink URL's and Base64 Strings
- Get file hashes and compare them against VirusTotal (see requirements)
- Perform WhoIs Lookups
- Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred.
- Simple analysis of emails to retrieve URL's, emails and header information.
- Extract IP addresses from emails.
- Unshorten URL's that have been shortened by external services. (Limited to 10 requests per hour)
- Query URLScan.io for reputation reports.
- Analyze email addresses for known malicious activity and report on domain reputation utilising EmailRep.io
- Python 3.x
- Install all dependencies from the requirements.txt file.
pip install -r requirements.txt - To use the Hash comparison with VirusTotal requires an API key, replace the key
VT_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work. - To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key
AB_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work. - To use the URLScan.io checker function with URLScan requires an API Key, replace the key
URLSCAN_IO_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
Want to contribute? Great!
- New features / requests should start by opening an issue. This helps track new features and prevent crossover.
- If you wish to work on a feature, leave a comment on the issue page and I will assign you to it.
- All code modifications, enhancements or additions must be done through a pull request.
- Once reviewed and merged, contibutors will be added to the ReadMe
Found a Bug? Show Me!
- If an issue / bug is found please open a ticket in the issue tracker. State the issue first, and how to recreate it if necessary.
- I will assign myself / another commenter to that case and work on fixing it asap.
- Added first iteration of the Phishing tool.
- Able to analyze an email (outlook / .msg only tested at the moment) and retrieve emails, urls (Proofpoint decode if necessary) and extract info from headers.
- Extract IP's from body of email.
- Improved Rep Checker
- Added HaveIBeenPwned Functionality
- Added DNS Tools and WhoIs Functionality
- Added Hash and VirusTotal Checkers
- Added Abuse IPDB, Tor Exit Node, BadIP's to Reputation Checker
- Initial Release
- URL and ProofPoint Decoder
- Initial implementation of Reputation Checker
- Sanitize links to be safe for email
This is an outline of what features will be coming in future versions.
Add Ability to extract email addresses and URL's from mail.Edit: AddedCorrelate emails and URL's to see if they have been reported for phishingEdit: Added- Scan email attachments for malicious content, macros, files, scan hashes, etc.
- Add a 'New Case' Feature, allowing output of the tool to be output to a txt file.
- Aaron J Copley for his code to decode ProofPoint URL's
- James Duarte for adding a hash and auto-check option to the hashing function
- mrpnkt for adding the missing whois requirement to requirements.txt
- Gurulhu for adding the Base64 Decoder to the Decoders menu.
- AndThenEnteredAlex for adding the URLScan Function from URLScan.io