Updated check email authenticity script to handle spf formats (demist…

…o#38518)

* handle spf without parentheses format

* update rn

* tests added

* updated docker image

Packs/Phishing/ReleaseNotes/3_6_36.md

@@ -0,0 +1,7 @@
+
+#### Scripts
+
+##### CheckEmailAuthenticity
+
+- Updated the Docker image to: *demisto/python3:3.12.8.1983910*.
+- Updated the script to also handle Received-SPF without parentheses format.

Packs/Phishing/Scripts/CheckEmailAuthenticity/CheckEmailAuthenticity.py

@@ -30,7 +30,12 @@ def get_spf(auth, spf):
     if sender_ip:
         spf_context['Sender-IP'] = sender_ip[0]
     if spf is not None:
-        spf_context['Reason'] = re.findall(r'\((.+)\)', spf)[0]
+        if reason := re.findall(r'\((.+)\)', spf):
+            spf_context['Reason'] = reason[0]
+        else:
+            reason = spf.split(" ", 1)
+            spf_context['Reason'] = reason[1] if len(reason) > 1 else ""
+
     return spf_context
 
 

Packs/Phishing/Scripts/CheckEmailAuthenticity/CheckEmailAuthenticity.yml

@@ -167,7 +167,7 @@ enabled: true
 name: CheckEmailAuthenticity
 outputs:
 - contextPath: Email.SPF.MessageID
-  description: SPF ID
+  description: SPF ID.
   type: String
 - contextPath: Email.SPF.Validation-Result
   description: 'Validation Result. Possible values are "None", "Neutral", "Pass", "Fail", "SoftFail", "TempError", and "PermError". '
@@ -191,16 +191,16 @@ outputs:
   description: DMARC reason. Possible values are "None", "Pass", "Fail", "Temperror", and "Permerror".
   type: String
 - contextPath: Email.DMARC.Tags
-  description: DMARC Tags (if found)
+  description: DMARC Tags (if found).
   type: String
 - contextPath: Email.DMARC.From-Domain
-  description: Sender's Domain
+  description: Sender's Domain.
   type: String
 - contextPath: Email.DKIM.Signing-Domain
-  description: Sender's Domain
+  description: Sender's Domain.
   type: String
 - contextPath: Email.AuthenticityCheck
-  description: 'Possible values are be: Fail / Suspicious / Undetermined / Pass'
+  description: 'Possible values are be: Fail / Suspicious / Undetermined / Pass.'
   type: Unknown
 - contextPath: Email.DKIM
   description: DKIM information extracted from the email.
@@ -222,6 +222,8 @@ tags:
 timeout: '0'
 type: python
 subtype: python3
-dockerimage: demisto/python3:3.11.10.115186
+dockerimage: demisto/python3:3.12.8.1983910
 runas: DBotWeakRole
 fromversion: 5.0.0
+tests:
+- No tests

Packs/Phishing/Scripts/CheckEmailAuthenticity/CheckEmailAuthenticity_test.py

@@ -1,4 +1,4 @@
-from CheckEmailAuthenticity import main, get_authentication_value
+from CheckEmailAuthenticity import main, get_authentication_value, get_spf
 import demistomock as demisto
 
 MOCK_HEADERS = [
@@ -83,3 +83,16 @@ def test_get_authentication_value():
     assert get_authentication_value(MOCK_HEADERS, original_authentication_header_included_in_headers) \
         == 'spf=pass (sender IP is 8.8.8.8) smtp.mailfrom=test.com; dkim=fail (body hash did not verify) ' \
         'header.d=test.com; dmarc=pass action=none header.from=test.com;compauth=pass reason=100'
+
+
+def test_get_spf_formats():
+    spf_with_parentheses = 'Pass (test.com: domain of test.com designates 8.8.8.8 as permitted sender)'
+    spf_without_parentheses = 'Pass test.com: domain of test.com designates 8.8.8.8 as permitted sender'
+
+    spf_data = get_spf(auth=None, spf=spf_with_parentheses)
+    assert spf_data['Validation-Result'] == 'pass'
+    assert spf_data['Sender-IP'] == '8.8.8.8'
+
+    spf_data = get_spf(auth=None, spf=spf_without_parentheses)
+    assert spf_data['Validation-Result'] == 'pass'
+    assert spf_data['Sender-IP'] == '8.8.8.8'

Packs/Phishing/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Phishing",
     "description": "Phishing emails still hooking your end users? This Content Pack can drastically reduce the time your security team spends on phishing alerts.",
     "support": "xsoar",
-    "currentVersion": "3.6.35",
+    "currentVersion": "3.6.36",
     "serverMinVersion": "6.0.0",
     "videos": [
         "https://www.youtube.com/watch?v=SY-3L348PoY"