-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPhishinEmail1.py
45 lines (45 loc) · 2.24 KB
/
PhishinEmail1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{
"Cases": [{
"Events": [{
"_fields": {
"BaseEventIds": "[]",
"ParentEventId": -1,
"DeviceProduct": "Phishing email detector"
},
"_rawDataFields": {
"sourcetype": "Phishing email detector",
"DeviceVendor": "Email server",
"StartTime": "1498647816000",
"EndTime": "1498647816000",
"EventId": "220",
"Name": "Your New Salary Notification",
"Mail_OriginalEmailBody": "Hello, You have an important email from the Human Resources Department with regards to your December 2015 Paycheck\r\n\r\nThis email is enclosed in the Marquette University secure network, hence access it below\r\n\r\nAccess the documents here <http://markossolomon.com/F1q7QX.php<link removed>\r\n\r\n***Ensure your login credentials are correct to avoid cancellations**\r\n\r\nFaithfully \r\nHuman Resources \r\nUniversity of California, Berkeley\r\n\r",
"Severity": "High",
"CategoryOutcome": "allowed",
"DeviceEventClassId": "Email check",
"SourceUserName": "[email protected]",
"DestinationUserName": "[email protected]",
"DestinationURL": "http://markossolomon.com/F1q7QX.php",
"sentTime": "1498647816000",
"message_id": "220",
"subject": "Your New Salary Notification",
"body": "Hello, You have an important email from the Human Resources Department with regards to your December 2015 Paycheck\r\n\r\nThis email is enclosed in the Marquette University secure network, hence access it below\r\n\r\nAccess the documents here <http://markossolomon.com/F1q7QX.php<link removed>\r\n\r\n***Ensure your login credentials are correct to avoid cancellations**\r\n\r\nFaithfully \r\nHuman Resources \r\nUniversity of California, Berkeley\r\n\r"
}
}],
"Environment": null,
"SourceSystemName": "Splunk",
"TicketId": "220",
"Description": "The email from <[email protected]> to <[email protected]> detected as phishing email.",
"DisplayId": "125fc5df-31d0-4018-a1d0-d13dc0def50b",
"Reason": "Phishing email detector",
"Name": "Suspicious phishing email",
"DeviceVendor": "Email server",
"DeviceProduct": "Phishing email detector",
"StartTime": "1498647816000",
"EndTime": "1498647816000",
"Priority": 60,
"RuleGenerator": "Phishing email detector",
"Extensions": [],
"IsTestCase": false
}]
}