For project 4 (the final project of the Cybersecurity class I took in second half of 2023), I decided to do it on Automating email analysis in Tines for suspicious links, files and sender addresses using virustotal and emailrep.io APIs. It was a bit of a steep learning curve for me to be able to integrate these apis as I had to parse links and email sender addresses out of email body content. I ended up using a REGEX expression to detect links, and even bypassed hyperlinked with replaced text, if the replaced text was another URL different from the actual.
In the submitted state, the story was triggered by sending/forwarding an email to the Tines story email address at the start of the action. This story would be able to accept a normal email as well as an email forwarded as an attachment. The email and associated attachments would be parsed and checked against emailrep.io database/service for email sender’s reputation (based on their metrics). Afterwards, the same email content would be checked against Virustotal’s database service for content suspicious links/files. There is a loop check here to wait for Virustotal’s scan to complete.
Once completed, the results from both emailrep.io and Virustotal are compiled and formatted into an easy-to-read message that then gets sent (in the case of this project) to either an email address or slack message channel. The message content displays quick glances at the overall rep of the sender’s email address, any recent incidents, and if any links or files, the rated suspicion of the files. Lastly, a link to the direct results is included, which is very helpful for determining Virustotal analysis of files hosted at any supplied link (sometimes links could be easily disguised and show up as reliable, but the link actually leads to a download or hosted file). If this was to happen, the analysis of the link itself may return fine, but the file itself would then need to be analyzed, which doesn’t show up on the link report, but the full report itself.
I would like to see if there is a way to determine this programmatically to be able to include any of those more in-depth reports automatically as needed.
Another cool tidbit with this final project is that I partly linked it into another student’s final project, where their project was designing a password strength checking app (to simulate a seemingly safe app) that stole stored wifi passwords in the background while ran. I had that student deliver to me a link in the email to the app, and my Tines story automatically checked the sender address and contents/url(s) for safeness.
This project used these concepts:
