Spaces:
Sleeping
Sleeping
| # attack_classifier.py | |
| def classify_attack( | |
| final_score, | |
| header_findings, | |
| body_findings, | |
| url_findings, | |
| attachment_findings, | |
| auth_results, | |
| ): | |
| """ | |
| Returns: | |
| attack_type (str) | |
| confidence (str) | |
| reasoning (list[str]) | |
| """ | |
| reasoning = [] | |
| findings_text = " ".join( | |
| header_findings + body_findings + url_findings + attachment_findings | |
| ).lower() | |
| spf_fail = auth_results.get("spf") == "fail" | |
| dkim_fail = auth_results.get("dkim") == "fail" | |
| dmarc_fail = auth_results.get("dmarc") == "fail" | |
| has_urls = len(url_findings) > 0 | |
| has_attachments = len(attachment_findings) > 0 | |
| # ========================= | |
| # 1️⃣ BUSINESS EMAIL COMPROMISE (BEC) | |
| # ========================= | |
| if ( | |
| ("reply-to" in findings_text or "payment" in findings_text or "invoice" in findings_text) | |
| and not has_urls | |
| and not has_attachments | |
| and (spf_fail or dkim_fail) | |
| ): | |
| reasoning.append("No URLs or attachments present") | |
| reasoning.append("Email requests action (payment / reply)") | |
| reasoning.append("Email authentication failure detected") | |
| return "Business Email Compromise (BEC)", "High", reasoning | |
| # ========================= | |
| # 2️⃣ MALWARE DELIVERY | |
| # ========================= | |
| if has_attachments and ( | |
| "macro" in findings_text | |
| or "html attachment" in findings_text | |
| or "executable" in findings_text | |
| ): | |
| reasoning.append("Malicious attachment detected") | |
| if has_urls: | |
| reasoning.append("URL-based delivery combined with attachment") | |
| return "Malware Delivery", "High", reasoning | |
| # ========================= | |
| # 3️⃣ PHISHING | |
| # ========================= | |
| if has_urls and ( | |
| "phishing" in findings_text | |
| or "credential" in findings_text | |
| or "login" in findings_text | |
| or "verify" in findings_text | |
| ): | |
| reasoning.append("Phishing indicators in body content") | |
| reasoning.append("Malicious or suspicious URLs detected") | |
| if dmarc_fail: | |
| reasoning.append("DMARC failure increases confidence") | |
| return "Phishing", "High", reasoning | |
| # ========================= | |
| # 4️⃣ BRAND SPOOFING | |
| # ========================= | |
| if "brand spoof" in findings_text or "look-alike domain" in findings_text: | |
| reasoning.append("Look-alike domain or brand impersonation detected") | |
| if dmarc_fail: | |
| reasoning.append("Brand spoofing combined with DMARC failure") | |
| return "Brand Spoofing", "Medium", reasoning | |
| # ========================= | |
| # 5️⃣ SPAM / MARKETING | |
| # ========================= | |
| if ( | |
| "unsubscribe" in findings_text | |
| or "promotion" in findings_text | |
| or "marketing" in findings_text | |
| ) and final_score < 40: | |
| reasoning.append("Marketing language detected") | |
| reasoning.append("Low overall risk score") | |
| return "Spam / Marketing", "Low", reasoning | |
| # ========================= | |
| # 6️⃣ GENERIC SUSPICIOUS | |
| # ========================= | |
| if final_score >= 70: | |
| reasoning.append("High overall risk score") | |
| return "Suspicious Email", "Medium", reasoning | |
| # ========================= | |
| # 7️⃣ CLEAN / LEGITIMATE | |
| # ========================= | |
| reasoning.append("No strong malicious indicators detected") | |
| return "Legitimate Email", "High", reasoning | |