Resilient

Expand all | Collapse all

Extracting Links from Photo in a phishing email

  • 1.  Extracting Links from Photo in a phishing email

    Posted Wed August 14, 2019 04:43 AM
    Hello Members,
    I need to extract the clickable links from a photo in a phishing email, while I am parsing an eml attachment of an email, it shows the pictures inside the body, but I need the link itself to be parsed and added as an artifact.


  • 2.  RE: Extracting Links from Photo in a phishing email

    Posted Thu September 12, 2019 06:00 AM
    Hi Ahmed,

    Sorry for the long delay in replying.  Have you found a solution yet? Let us know.

    This looks like a very interesting integration and there may be possibilities for adding this to Resilient's integration solutions. OCR solutions would be the best way to extract text from a photo. The most popular python library I see is pytesseract. Unfortunately, it's licensed as GPL2 which is problematic for IBM's development. But there may be other libraries which we can explore.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Extracting Links from Photo in a phishing email

    Posted Mon September 16, 2019 07:12 AM
    Hi Mark,
    Thanks for your reply, Unfortunately not yet.
    I am thinking about getting the HTML content of the email in one function as a step, then try to parse the links behind the photo through regex.

    ------------------------------
    ahmed abushanab
    ------------------------------



  • 4.  RE: Extracting Links from Photo in a phishing email

    Posted Mon September 16, 2019 07:38 AM
    In that case, you may be interested in the IOC Parser function we posted to the App Exchange.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 5.  RE: Extracting Links from Photo in a phishing email

    Posted Mon September 16, 2019 06:02 AM
    Hi

    Can you post an example of the photo you are talking about ?

    Thanks

    ------------------------------
    FUser User
    ------------------------------



  • 6.  RE: Extracting Links from Photo in a phishing email

    Posted Mon September 16, 2019 07:42 AM
    Hi mate,

    It could be any Ad email that will take you to web site when you click on photo inside, I am not so sure that I can post a clickable photo, I will try to send email sample that contains some clickable photos, if you think it will help, let me know.

    ------------------------------
    ahmed abushanab
    ------------------------------



  • 7.  RE: Extracting Links from Photo in a phishing email

    Posted Sun October 06, 2019 04:56 AM
    Phish - Email (link embedded in image)

    Phish - Email (link embedded in image)


    ------------------------------
    UAEX Exchange
    ------------------------------



  • 8.  RE: Extracting Links from Photo in a phishing email

    Posted Tue October 15, 2019 05:25 AM
    Edited by Bruce Wayne Tue October 15, 2019 05:27 AM
    import pytesseract
    import cv2
    from PIL import Image

    pytesseract.pytesseract.tesseract_cmd = r'C:\Program Files (x86)\Tesseract-OCR\tesseract.exe'

    img = cv2.imread('C:\\Users\\BW\\Desktop\\PhishEmailWithImageandLink.png')


    def
    process_image(img):
    gray = cv2.cvtColor(img, cv2.COLOR_BGR2GRAY)
    # thresh = cv2.adaptiveThreshold(gray, 255, cv2.ADAPTIVE_THRESH_MEAN_C, cv2.THRESH_BINARY, 49, 52)
    ret, thresh = cv2.threshold(gray, 200, 255, cv2.THRESH_BINARY)

    img_new = Image.fromarray(thresh)
    text = pytesseract.image_to_string(img_new, lang='eng')

    cv2.imshow('result', thresh)
    cv2.waitKey(0)

    print(text)

    This will give you some output. What you need is the url part:

    https://onedrive.live.com/downoad?
    cid=46 b98fe6f0d79519&resid=46b98fe
    60479519!
    1759&authkey=ad8palo26hIn_dm

    As you can see, there is a space between 45 and b9 (second line). Also, the third line is wrong.
    Apart from that, the link should be the same from your screenshot. With some preprocessing (for example isolate the rectangle containing the link - not so difficult) you should do easily the job.

    ------------------------------
    Bruce Wayne
    ------------------------------