Spaces:
Sleeping
Sleeping
File size: 3,486 Bytes
5e3b062 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
# attack_classifier.py
def classify_attack(
final_score,
header_findings,
body_findings,
url_findings,
attachment_findings,
auth_results,
):
"""
Returns:
attack_type (str)
confidence (str)
reasoning (list[str])
"""
reasoning = []
findings_text = " ".join(
header_findings + body_findings + url_findings + attachment_findings
).lower()
spf_fail = auth_results.get("spf") == "fail"
dkim_fail = auth_results.get("dkim") == "fail"
dmarc_fail = auth_results.get("dmarc") == "fail"
has_urls = len(url_findings) > 0
has_attachments = len(attachment_findings) > 0
# =========================
# 1️⃣ BUSINESS EMAIL COMPROMISE (BEC)
# =========================
if (
("reply-to" in findings_text or "payment" in findings_text or "invoice" in findings_text)
and not has_urls
and not has_attachments
and (spf_fail or dkim_fail)
):
reasoning.append("No URLs or attachments present")
reasoning.append("Email requests action (payment / reply)")
reasoning.append("Email authentication failure detected")
return "Business Email Compromise (BEC)", "High", reasoning
# =========================
# 2️⃣ MALWARE DELIVERY
# =========================
if has_attachments and (
"macro" in findings_text
or "html attachment" in findings_text
or "executable" in findings_text
):
reasoning.append("Malicious attachment detected")
if has_urls:
reasoning.append("URL-based delivery combined with attachment")
return "Malware Delivery", "High", reasoning
# =========================
# 3️⃣ PHISHING
# =========================
if has_urls and (
"phishing" in findings_text
or "credential" in findings_text
or "login" in findings_text
or "verify" in findings_text
):
reasoning.append("Phishing indicators in body content")
reasoning.append("Malicious or suspicious URLs detected")
if dmarc_fail:
reasoning.append("DMARC failure increases confidence")
return "Phishing", "High", reasoning
# =========================
# 4️⃣ BRAND SPOOFING
# =========================
if "brand spoof" in findings_text or "look-alike domain" in findings_text:
reasoning.append("Look-alike domain or brand impersonation detected")
if dmarc_fail:
reasoning.append("Brand spoofing combined with DMARC failure")
return "Brand Spoofing", "Medium", reasoning
# =========================
# 5️⃣ SPAM / MARKETING
# =========================
if (
"unsubscribe" in findings_text
or "promotion" in findings_text
or "marketing" in findings_text
) and final_score < 40:
reasoning.append("Marketing language detected")
reasoning.append("Low overall risk score")
return "Spam / Marketing", "Low", reasoning
# =========================
# 6️⃣ GENERIC SUSPICIOUS
# =========================
if final_score >= 70:
reasoning.append("High overall risk score")
return "Suspicious Email", "Medium", reasoning
# =========================
# 7️⃣ CLEAN / LEGITIMATE
# =========================
reasoning.append("No strong malicious indicators detected")
return "Legitimate Email", "High", reasoning
|