Last active
August 15, 2025 22:16
-
-
Save jschell/9be9ffa64d93ace4d15e22bf6dd1fb53 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-PhishPage | |
| { | |
| <# | |
| .SYNOPSIS | |
| Check for phishing sites targeting microsoftonline via urlScan.io | |
| .PARAMETER DaysAgo | |
| Number of days back to search | |
| .NOTES | |
| #### Name: Get-PhishPage | |
| #### Author: J Schell | |
| #### Version: 0.1.0 | |
| #### License: MIT License | |
| ### ChangeLog | |
| ##### 2019-07-19::0.1.0 | |
| - initial creation | |
| - make result set useful | |
| - page thru results (urlScan returns 100 at a time) | |
| #> | |
| [CmdletBinding()] | |
| Param | |
| ( | |
| $DaysAgo = 90 | |
| ) | |
| Begin | |
| { | |
| $offsetCounter = 0 | |
| $startDate = (Get-Date).AddDays(-$DaysAgo).ToString('s').Split('T')[0] | |
| $hashLarge = 'hash%3A211a907de2da0ff4a0e90917ac8054e2f35c351180977550c26e51b4909f2beb' # Hash of large image bg https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/images/backgrounds/0.jpg?x=a5dbd4393ff6a725c7e62b61df7e72f0 | |
| $hashSmall = 'hash%3Af89e908280791803bbf1f33b596ff4a2179b355a8e15ad02ebaa2b1da11127ea' # Hash of small image bg https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/images/backgrounds/0-small.jpg?x=138bcee624fa04ef9b75e86211a9fe0d | |
| $pageASN = 'page.asn%3AAS8075' | |
| $exclude = '%20-yammer.com%20-windows-ppe.net%20-microsoftonline.com%20-live.com' | |
| $dateStart = "%20date%3A%3E$($startDate)" | |
| $baseURI = 'https://urlscan.io/api/v1/search/' | |
| $qPrefix = '?q=' | |
| $qSuffix = '&sort_field=date&sort_order=desc' | |
| $qOffset = "&offset=$($offsetCounter)" | |
| $qParam = "($($hashLarge)%20OR%20$($hashSmall))%20AND%20$($pageASN)$($exclude)$($dateStart)" | |
| $qFull = "$($baseURI)$($qPrefix)$($qParam)$($qOffset)$($qSuffix)" | |
| } | |
| Process | |
| { | |
| $queryResultAll = @() | |
| $enrichData = @() | |
| $uri = $qFull | |
| $firstRun = Invoke-WebRequest -Uri $uri -Method Get | |
| $queryTotalCount = ($firstRun.content | ConvertFrom-Json | Select -ExpandProperty Total) | |
| if($queryTotalCount -ge 100) | |
| { | |
| $queryResultAll = @($firstRun.content | ConvertFrom-Json | Select -ExpandProperty results) | |
| do { | |
| $offsetCounter = $offsetCounter + 100 | |
| $qOffset = "&offset=$($offsetCounter)" | |
| $uri = "$($baseURI)$($qPrefix)$($qParam)$($qOffset)$($qSuffix)" | |
| $query = Invoke-WebRequest -Uri $uri -Method Get | |
| $queryResultAll += @($query.content | ConvertFrom-Json | Select -ExpandProperty results) | |
| Write-Verbose "$($offsetCounter) of $($queryTotalCount)" | |
| }while(($offsetCounter + 100) -le $queryTotalCount) | |
| } | |
| else | |
| { | |
| $queryResultAll += @($firstRun.content | ConvertFrom-Json | Select -ExpandProperty results) | |
| } | |
| foreach( $queryResult in $queryResultAll) | |
| { | |
| $enrich = New-Object -TypeName PsObject -Property ([ordered]@{ | |
| Time = $queryResult.task.time | |
| PageDomain = $queryResult.page.domain | |
| PageURI = $queryResult.page.url | |
| IPSource = $queryResult.page.ip | |
| ASNName = $queryResult.page.asnName | |
| ASN = $queryResult.page.asn | |
| HostPlatform = $queryResult.page.server | |
| }) | |
| $enrichData += @($enrich) | |
| } | |
| } | |
| End | |
| { | |
| $enrichData | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment