Skip to main content

DBotPredictURLPhishing

This Script is part of the Phishing URL Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Predict phishing URLs using a pre-trained model.

Security Recommendations#


This script uses the Rasterize integration. If this script is used to rasterize untrusted URLs, we strongly recommend following the security recommendations included at the Rasterize Documentation.

Script Data#


NameDescription
Script Typepython3
Tagsml
Cortex XSOAR Version6.0.0

Used In#


This script is used in the following playbooks and scripts.

Phishing - Machine Learning Analysis

Inputs#


Argument NameDescription
urlsSpace-separated list of URLs.
emailBodyBody of the email for URL extraction.
emailHTMLHTML of the email for URL extraction.
maxNumberOfURLMaximum number of extracted URLs on which to run the model.
forceModelWhether to force the model to run if the URL belongs to the whitelist. If True, the model will run in every case. If False, the model will run only if the URL does not belong to the whitelist.
resetModelWhether to reset the model to the model existing in Docker.
defaultRequestProtocolThe protocol to use when calling the URLs. This argument effects the calls sent by the model only and has no effect on the rasterize or whois commands.
debugWhether to enter debug mode.
reliabilityReliability of the source providing the intelligence data.

Outputs#


PathDescriptionType
DBotPredictURLPhishing.URLURL on which the model ran.String
DBotPredictURLPhishing.FinalVerdictFinal verdict of the URL.String
DBotPredictURLPhishing.UseOfSuspiciousLogoWhether a logo (from our list of top most use company for phishing) has been fraudulently used. Our predefined list of logos is: Paypal, Instagram, Gmail, Outlook, Linkedin, Facebook, Ebay, amazon, Google, Microsoft.String
DBotPredictURLPhishing.HasLoginFormWhether there is a login form in the HTML. Usually phishing attacks aim to steal credentials from the victim and attackers using login forms to retrieve this information.String
DBotPredictURLPhishing.URLStaticScoreProbability for the URL to be malicious based only on the URL syntax.Number
DBotPredictURLPhishing.BadSEOQualityWhether the domain has a good search engine optimization. Malicious domains tend to have a poor SEO.String
DBotPredictURLPhishing.NewDomainWhether the domain is younger than 6 months. New domains tend to be malicious.String
DBotPredictURLPhishing.TopMajesticDomainWhether the domain belongs to the top Majestic domain list. If it does, we will always consider this domain as benign.String
DBotScore.ScoreSeverity score.Number

Script Examples#

Example command#

!DBotPredictURLPhishing urls="http://google.com"

Context Example#

{
"DBotPredictURLPhishing": [
{
"FinalVerdict": "Benign",
"TopMajesticDomain": "True",
"URL": "http://google.com"
}
]
}

Human Readable Output#

Phishing prediction summary for URLs#

URLFinal Verdict
http://google.comBenign - whitelisted