A browser-native phishing defence platform built for SOC teams. 49 real-time detection modules in a Chrome MV3 extension covering the full phishing kill chain β from delivery through credential harvest to persistence β paired with a Python email analysis CLI that produces verdicts from raw .eml files.
The extension ships with a canvas-based live threat visualization dashboard, SOC-ready event export (JSON/CSV), event housekeeping, and a unified domain allowlist (~229 builtin domains) to suppress false positives on trusted sites.
graph TB
subgraph "Chrome Extension β 49 Detectors"
SW[Service Worker<br/>Message Router + Triage Engine]
SW --> D1[Foundation<br/>OAuthGuard Β· DataEgress Β· ExtensionAuditor Β· AgentIntentGuard]
SW --> D2[Interaction Layer<br/>AutofillGuard Β· ClipboardDefender Β· FullscreenGuard<br/>PasskeyGuard Β· QRLjackingGuard]
SW --> D3[Social Engineering<br/>WebRTCGuard Β· ScreenShareGuard Β· PhishVision<br/>ProxyGuard Β· SyncGuard Β· FakeSender]
SW --> D4[Evasion<br/>CTAPGuard Β· IPFSGuard Β· LLMScorer<br/>VNCGuard Β· PWAGuard Β· TPASentinel]
SW --> D5[Exfil + Persistence<br/>DrainerGuard Β· StyleAuditor Β· WsExfilGuard<br/>SwGuard Β· EtherHidingGuard Β· NotificationGuard]
SW --> D6[Next-Gen<br/>WebTransportGuard Β· CanvasPhishGuard<br/>CanvasKeystrokeGuard Β· CanvasExfilGuard<br/>SpeculationRulesGuard]
SW --> D7[Anti-Fingerprinting + Payment<br/>StealthKit Β· ProbeGuard Β· PaymentRequestGuard]
SW --> D8[File System + Threat Intel<br/>FileSystemGuard Β· ThreatIntelSync]
SW --> D9[SPA + Deepfake Sentinel<br/>SPANavigationMonitor Β· WebRTCSyntheticTrack]
end
subgraph "Allowlist + SOC Tools"
AL[Unified Allowlist<br/>229 builtin domains Β· user-editable]
AL --> CSS[CSS Gate<br/>document_start suppression]
AL --> TEL_GATE[Telemetry Gate<br/>skip events for trusted domains]
SW --> EXP[Event Export<br/>JSON Β· CSV]
SW --> CLR[Housekeeping<br/>Clear All Β· Clear >7d]
end
subgraph "Lure CLI β Email Analysis Pipeline"
EML[.eml / .msg] --> PA[Stage A: Parser<br/>SPF Β· DKIM Β· DMARC Β· Routing]
PA --> PB[Stage B: Extractor<br/>URLs Β· IPs Β· Domains Β· Hashes]
PB --> PC[Stage C: YARA Scanner<br/>8 custom rules]
PC --> PE[Stage E: Scorer<br/>11 weighted signals]
PE --> V{Verdict}
end
subgraph "Intelligence Layer"
SW --> TRI[Triage Engine<br/>NIST 800-61r3 Β· MITRE ATT&CK]
SW --> INT[Intelligence Lifecycle<br/>35 PIRs Β· 31 Correlation Sets]
SW --> TIS[ThreatIntelSync<br/>PhishStats API Β· phishnet.cc]
SW --> TEL[Telemetry<br/>chrome.storage.local]
TEL --> POP[LURE Dashboard<br/>Canvas Visualization + Events List]
TEL -.->|Production| DCR[Azure Monitor DCR]
end
49 detectors, each with additive signal scoring (alert at 0.50, block at 0.70, cap 1.0).
| Detector | Threat | MITRE ATT&CK | Injection |
|---|---|---|---|
| OAuthGuard β Device Code Flow | Storm-2372 | T1528 | background |
| OAuthGuard β State Parameter Abuse | Storm-2372 | T1598.004 | background |
| DataEgressMonitor β Blob Credential | NOBELIUM / TA4557 | T1027.006 | programmatic |
| ExtensionAuditor β DNR Audit | QuickLens | T1195.002 | background |
| ExtensionAuditor β Ownership Drift | Cyberhaven-style | T1195.002 | background |
| ExtensionAuditor β C2 Polling | Multiple | T1071.001 | background |
| AgentIntentGuard β GAN Page + Guardrail Bypass | Agentic | T1056.003 | document_idle |
| AutofillGuard β Hidden Field Harvest | Kuosmanen-class | T1056.003 | document_idle |
| AutofillGuard β Extension Clickjack | Toth-class | T1056.003 | document_idle |
| ClipboardDefender β ClickFix Injection | FIN7 / Lazarus | T1059.001 | document_start |
| FullscreenGuard β BitM Overlay | BitM-class | T1185 | document_idle |
| PasskeyGuard β Credential Interception | Spensky DEF CON 33 | T1556.006 | document_start |
| QRLjackingGuard β Session Hijack | APT29 / TA2723 | T1539 | document_idle |
| WebRTCGuard β Virtual Camera | Scattered Spider | T1566.003 | document_start |
| ScreenShareGuard β TOAD Detection | MuddyWater / Luna Moth | T1113 | document_start |
| PhishVision β Brand Impersonation + Favicon Hash | Multiple | T1566.002 | document_idle |
| ProxyGuard β AiTM Proxy | Evilginx / Modlishka | T1557.003 | document_idle |
| SyncGuard β Browser Sync Hijack | Scattered Spider | T1078.004 | document_idle |
| FakeSender β Helpdesk Impersonation | Multiple | T1566.002 | document_idle |
| CTAPGuard β FIDO Downgrade | Tycoon 2FA | T1556.006 | document_idle |
| IPFSGuard β Gateway Phishing | Commodity | T1583.006 | document_idle |
| LLMScorer β AI-Generated Phishing | TA4557 / Scattered Spider | T1566.002 | document_idle |
| VNCGuard β EvilnoVNC AiTM | Storm-1811 / TA577 | T1557.003 | document_idle |
| PWAGuard β Progressive Web App Phishing | Czech/Hungarian campaigns | T1036.005 | document_idle |
| TPASentinel β Consent Phishing | Storm-0324 / APT29 | T1528 | document_idle |
| DrainerGuard β Crypto Wallet Drainer | Inferno / Angel / Pink | T1656 | document_idle |
| StyleAuditor β CSS Credential Exfil | Advanced kits | T1056.003 | document_idle |
| WsExfilGuard β WebSocket Credential Exfil | EvilProxy / Modlishka 2.0+ | T1056.003 | document_start |
| SwGuard β Service Worker Persistence | Watering-hole campaigns | T1176 | document_start |
| EtherHidingGuard β Blockchain Payload Delivery | ClearFake / ClickFix | T1059.007 | document_start |
| NotificationGuard β Push Notification Phishing | Multiple | T1204.001 | document_start |
| WebTransportGuard β WebTransport AiTM Relay | Advanced PhaaS kits | T1056.003 | document_start |
| CanvasPhishGuard β Canvas Credential Phishing | Advanced kits / Flutter Web | T1056.003 | document_idle |
| CanvasKeystrokeGuard β Canvas Keystroke Capture | Advanced kits / Flutter Web | T1056.003 | document_start (MAIN world) |
| CanvasExfilGuard β Canvas Credential Exfiltration | Advanced kits / Flutter Web | T1041 | document_start |
| SpeculationRulesGuard β Speculation Rules Phishing | XSS β Prerender abuse | T1598.003 | document_start |
| StealthKit β Anti-Fingerprinting Hardening | Detection evasion | β | document_start (MAIN world) |
| ProbeGuard β Security Tool Probing Detection | Tycoon 2FA / EvilProxy / CreepJS | T1518.001 | document_start (MAIN world) |
| PaymentRequestGuard β Payment API Phishing Signal | PII harvesting via browser-native UI | T1056.003 | document_start (MAIN world) |
| FileSystemGuard β File System Access API Abuse | RΓΈB-style ransomware / PhaaS kits | T1552.001 | document_start (MAIN world) |
| ThreatIntelSync β Domain Reputation Check | Confirmed phishing infrastructure | T1566.002 | background (alarm-based) |
| SPANavigationMonitor β SPA Login Path Injection | XSS/Nav API pushState phishing | T1185 | background |
| WebRTCSyntheticTrackSentinel β Deepfake Track Injection | Scattered Spider / state actors | T1566.003 | document_start (MAIN world) |
Every detector uses the same additive scoring framework:
- Each signal contributes a weight (0.10β0.40)
- Signals are summed, capped at 1.0
- Severity: >= 0.90 Critical, >= 0.70 High, >= 0.50 Medium
- Action: >= 0.70 blocked (fields disabled, banner injected), >= 0.50 alerted
Example from WebTransportGuard:
| Signal | Weight | Trigger |
|---|---|---|
wt:transport_on_credential_page |
+0.40 | WebTransport connection on page with credential fields |
wt:self_signed_cert_hashes |
+0.30 | serverCertificateHashes option used (self-signed certs) |
wt:cross_origin_transport_with_creds |
+0.25 | WebTransport target hostname differs from page origin |
wt:credential_data_in_stream |
+0.20 | Input field value found in stream/datagram write |
wt:transport_without_media_context |
+0.15 | WebTransport without video/streaming UI |
Every detection event is enriched by three engines before persistence:
Triage Engine (lib/triage.js) β NIST SP 800-61r3 classification with MITRE ATT&CK mapping, SANS PICERL priority/SLA assignment, and recommended containment actions per event type.
Intelligence Lifecycle (lib/intelligence_lifecycle.js) β 35 Priority Intelligence Requirements (PIRs), confidence scoring, deduplication, 31 correlation sets for campaign grouping, and tactical intelligence summary generation.
ThreatIntelSync (lib/threat_intel_sync.js) β Periodic ingestion from PhishStats API and phishnet.cc feed.txt. Builds compact domain/IP/exfil-endpoint lookup sets stored in chrome.storage.local['threatIntel'], refreshed every 4 hours via chrome.alarms. All lookups are supplementary β core detection quality never degrades if feeds are unreachable.
git clone <repo-url>
cd lur3
# Load in Chrome or Brave:
# 1. Navigate to chrome://extensions (or brave://extensions)
# 2. Enable "Developer mode"
# 3. Click "Load unpacked" β select the extension/ directory# Extension tests (Vitest) β 1507 tests across 43 suites
cd extension && npm test
# Lure CLI tests (pytest)
cd lure && pip install -e ".[dev,yara]" && pytest -vThe popup renders a live canvas visualization of all detection events. Packets travel along bezier thread paths, color-coded by severity:
- Olive (
#8b9e73) β normal / low / medium traffic - Bronze (
#b59a6d) β high severity detections - Red (
#c25e5e) β critical detections with glow
Each threat packet carries a label showing the detector name and key detail (e.g. AiTM Proxy: evilginx.example.com, FS API Credential Exfil: .aws, .env).
- Recent Events List β clickable rows with severity chips; expand any event to see full detail
- Event Export β download all events as JSON (with metadata bundle) or CSV (RFC 4180)
- Housekeeping β Clear All or Clear events older than 7 days
- Allowlist Editor β add/remove custom domains from the user allowlist directly in the popup
Two-layer false-positive suppression for trusted domains:
-
CSS Gate (
allowlist_gate.js) β runs atdocument_startbefore all detectors. Injects a single CSS rule[id^="phishops-"] { display: none !important }to hide all PhishOps banners on allowlisted domains. Zero existing detectors need modification. -
Telemetry Gate β
emitTriagedTelemetry()in the service worker extracts the hostname from each event's URL and skips emission for allowlisted domains, keeping storage and badge counts clean.
Builtin list: ~229 domains merged from all detector-specific trusted domain lists, the top-500 most-trafficked websites, and false-positive events observed in field testing. Covers Google, Microsoft, Amazon, major news/social/shopping/education sites, auth providers, and security platforms.
User list: stored in chrome.storage.local['phishops_user_allowlist'], editable via the popup. Subdomain matching is automatic β adding corp.com covers app.corp.com.
Email analysis pipeline producing categorical verdicts from raw .eml files.
| Stage | Module | What It Does |
|---|---|---|
| A | parser.py |
Parse RFC 5322 / OLE .msg, validate SPF/DKIM/DMARC, walk Received chain |
| B | extractor.py |
Extract URLs, IPs, domains, hashes, emails, crypto wallets |
| C | scanner.py |
YARA scanning with 8 custom rules |
| E | scorer.py |
11 weighted signals producing categorical verdicts |
lur3/
βββ extension/ # Chrome MV3 extension
β βββ manifest.json # v1.0.0, 49 detectors, alarms permission
β βββ background/ # Service worker (message routing + triage + allowlist gate)
β βββ content/ # 41 content scripts (incl. allowlist_gate.js)
β βββ lib/ # triage.js Β· intelligence_lifecycle.js Β· telemetry.js
β β # stealth_kit.js Β· threat_intel_sync.js
β β # allowlist.js Β· event_export.js
β βββ popup/ # LURE dashboard (canvas viz + events list + allowlist editor)
β βββ tests/ # 43 Vitest test files, 1507 tests
β
βββ lure/ # Email analysis CLI
β βββ lure/modules/ # parser, extractor, scanner, scorer
β βββ rules/ # YARA rule files
β βββ tests/ # pytest tests
β
βββ Research/ # Threat research and detector design docs
βββ Plans/ # Architecture and implementation planning docs
βββ CUTTING_EDGE_DETECTORS.md # Next-gen detection candidates
βββ RESEARCH_PROMPTS.md # Structured research prompts
βββ THREAT_INTELLIGENCE.md # Detector β threat intel source mapping
See THREAT_INTELLIGENCE.md for the complete mapping of every detector to its primary threat intelligence source.
See CUTTING_EDGE_DETECTORS.md for research on next-generation detection candidates.
- Azure Monitor DCR integration β requires infrastructure. Telemetry architecture is documented; local storage stub demonstrates the full pipeline.
- Chrome Web Store publication β sideload is sufficient for review.
- Favicon hash map populated β
FAVICON_HASH_TO_BRANDin PhishVision ships empty. Infrastructure is complete; hashes are collected operationally using the DevTools script in the source comments. - urlscan.io reactive enrichment β Tier 2 integration (requires API key). Architecture designed; deferred per design constraints.