diff --git a/config/managed_schema.json b/config/managed_schema.json
index fa279af..bd4aabc 100644
--- a/config/managed_schema.json
+++ b/config/managed_schema.json
@@ -160,6 +160,76 @@
"default": ""
}
}
+ },
+ "domainSquatting": {
+ "title": "Domain Squatting Detection",
+ "description": "Configuration for domain squatting detection to protect against typosquatting, homoglyphs, and combosquatting attacks. Enable/disable is controlled by the detection rules JSON. Domains are automatically extracted from the URL allowlist.",
+ "type": "object",
+ "properties": {
+ "deviationThreshold": {
+ "title": "Deviation Threshold",
+ "description": "Maximum number of character differences (Levenshtein distance) to trigger detection. Lower values are stricter.",
+ "type": "integer",
+ "minimum": 1,
+ "maximum": 5,
+ "default": 2
+ },
+ "algorithms": {
+ "title": "Detection Algorithms",
+ "description": "Enable or disable specific detection algorithms",
+ "type": "object",
+ "properties": {
+ "levenshtein": {
+ "title": "Levenshtein Distance",
+ "description": "Detect domains with small character differences",
+ "type": "boolean",
+ "default": true
+ },
+ "homoglyph": {
+ "title": "Homoglyph Detection",
+ "description": "Detect confusable characters (e.g., 'a' vs 'а')",
+ "type": "boolean",
+ "default": true
+ },
+ "typosquat": {
+ "title": "Typosquatting Detection",
+ "description": "Detect common typing mistakes and character swaps",
+ "type": "boolean",
+ "default": true
+ },
+ "combosquat": {
+ "title": "Combosquatting Detection",
+ "description": "Detect domains with added prefixes/suffixes",
+ "type": "boolean",
+ "default": true
+ }
+ }
+ },
+ "protectedDomains": {
+ "title": "Additional Protected Domains",
+ "description": "OPTIONAL: Additional domains to protect beyond those automatically extracted from the URL allowlist. Normally you should just add domains to the URL allowlist instead.",
+ "type": "array",
+ "items": {
+ "type": "string",
+ "title": "Domain",
+ "description": "Domain name to protect (e.g., 'company.com')"
+ },
+ "default": []
+ },
+ "action": {
+ "title": "Action",
+ "description": "Action to take when domain squatting is detected",
+ "type": "string",
+ "enum": ["block", "warn", "log"],
+ "default": "block"
+ },
+ "logDetections": {
+ "title": "Log Detections",
+ "description": "Log all domain squatting detections to activity log",
+ "type": "boolean",
+ "default": true
+ }
+ }
}
}
}
\ No newline at end of file
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
index 6023154..38ff855 100644
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -3,6 +3,10 @@
- [About](README.md)
- [Firefox Support](firefox-support.md)
+## Features
+
+- [Domain Squatting Detection](features/domain-squatting-detection.md)
+
## Deployment
- [Chrome/Edge Deployment Instructions](deployment/chrome-edge-deployment-instructions/README.md)
diff --git a/docs/features/domain-squatting-detection.md b/docs/features/domain-squatting-detection.md
new file mode 100644
index 0000000..3530aa4
--- /dev/null
+++ b/docs/features/domain-squatting-detection.md
@@ -0,0 +1,226 @@
+# Domain Squatting Detection
+
+Domain squatting protection helps keep you safe from fake websites that try to trick you by using look-alike domain names. Attackers create these fake domains to steal your login credentials.
+
+## What is Domain Squatting?
+
+Domain squatting (sometimes called "typosquatting") is when attackers register website addresses that are intentionally similar to legitimate sites. For example:
+
+- `micros0ft.com` (using a zero instead of the letter O)
+- `microsоft.com` (using a Cyrillic "о" that looks like an English "o")
+- `login-microsoft.com` (adding extra words to a real domain)
+
+These fake sites often look exactly like the real Microsoft login page, but they're designed to capture your username and password.
+
+## How Check Protects You
+
+Check automatically watches for these fake domains using four smart detection methods:
+
+### 1. **Character Difference Detection**
+Spots domains where characters are changed, missing, or swapped around.
+
+**Examples Check catches:**
+- `microsft.com` → missing the letter "o"
+- `micorsoft.com` → letters swapped ("or" instead of "ro")
+- `microosoft.com` → extra letter added
+
+### 2. **Look-Alike Character Detection**
+Finds domains using special characters that look similar to normal letters.
+
+**Examples Check catches:**
+- `micrоsoft.com` → uses a Cyrillic "о" that looks like an English "o"
+- `microsоft.com` → mixes different alphabet characters
+- `micro𝐬oft.com` → uses special Unicode characters
+
+### 3. **Typing Mistake Detection**
+Identifies domains based on common typing errors and keyboard slip-ups.
+
+**Examples Check catches:**
+- `micrisoft.com` → finger slipped to nearby key
+- `microssoft.com` → double-typed a letter
+- `microosft.com` → typo mixing up letters
+
+### 4. **Suspicious Word Combination Detection**
+Spots domains that add words before or after legitimate domains to look more official.
+
+**Examples Check catches:**
+- `secure-microsoft.com`
+- `login-microsoft-verify.com`
+- `microsoft-auth.com`
+- `official-microsoft-support.com`
+
+Common suspicious words attackers use: `login`, `secure`, `verify`, `official`, `support`, `auth`, `signin`, `portal`
+
+## What Domains Are Protected?
+
+Check protects **30+ popular domains** by default, including:
+
+**Microsoft Services:**
+- microsoft.com, microsoftonline.com, office.com, outlook.com, onedrive.com, and more
+
+**Other Popular Services:**
+- google.com, github.com, facebook.com, amazon.com, apple.com, paypal.com, and more
+
+**Plus: Your URL Allowlist**
+
+{% hint style="info" %}
+**Unified Protection:** Check uses your [URL Allowlist](../settings/detection-rules.md#url-allowlist-regex-or-url-with-wildcards) for double protection. Any domains you add there are automatically protected from squatting attempts too!
+
+For example, if you add `https://yourcompany.com/*` to your allowlist, Check will also protect against fake domains like `yourcompany.net` or `your-company.com`.
+{% endhint %}
+
+## How It Works in Practice
+
+When you visit a website, Check automatically:
+
+1. **Checks** if the domain looks similar to any protected domain
+2. **Analyzes** using all four detection methods
+3. **Warns** you if it finds a suspicious match
+4. **Blocks** the page if it's clearly a phishing attempt
+
+You don't need to do anything - the protection works automatically in the background!
+
+## Configuration
+
+{% hint style="warning" %}
+**For most users**: Domain squatting detection works automatically with default settings. You don't need to change anything!
+{% endhint %}
+
+### Page Blocking Control
+
+Check has an **"Enable Page Blocking"** setting in the extension options that controls how suspicious pages are handled:
+
+- **Page Blocking Enabled** + **Action: "block"** = Page is completely blocked with full-page warning
+- **Page Blocking Enabled** + **Action: "warn"** = Warning banner shown, page remains accessible
+- **Page Blocking Disabled** = Warning banner shown regardless of action setting (never blocks)
+
+This gives you control over whether you want aggressive blocking or just warnings for suspicious domains.
+
+### For Advanced Users and IT Departments
+
+Domain squatting detection is configured in your detection rules file (not in the Settings UI). This follows the same pattern as other advanced security features like Rogue Apps Detection.
+
+#### How to Configure
+
+Edit your `rules/detection-rules.json` file to customize:
+
+**Enable/Disable Detection:**
+```json
+{
+ "domain_squatting": {
+ "enabled": true, // Turn detection on/off
+ "action": "block" // Action when detected: "block" or "warn"
+ }
+}
+```
+
+**Set Action Type:**
+```json
+{
+ "domain_squatting": {
+ "action": "block" // "block" = full page block, "warn" = banner only
+ }
+}
+```
+Note: Page blocking also requires "Enable Page Blocking" to be turned ON in settings.
+
+**Adjust Sensitivity** (how strict the checking is):
+```json
+{
+ "domain_squatting": {
+ "deviation_threshold": 2
+ }
+}
+```
+- Lower numbers (1) = Very strict, catches fewer variations
+- Higher numbers (3-5) = More lenient, catches more variations
+- Default is 2 (recommended for most organizations)
+
+**Choose Detection Methods:**
+```json
+{
+ "domain_squatting": {
+ "algorithms": {
+ "levenshtein": true,
+ "homoglyph": true,
+ "typosquat": true,
+ "combosquat": true
+ }
+ }
+}
+```
+
+You can turn individual detection methods on/off. We recommend keeping all four enabled for maximum protection.
+
+## For MSPs and Enterprise IT
+
+### Enterprise Policy Management
+
+Domain squatting detection can be managed through Group Policy (GPO) or Microsoft Intune, just like other Check settings.
+
+**What You Can Control via Policy:**
+- Detection sensitivity (character difference threshold)
+- Which detection methods are active
+- Additional protected domains specific to your organization
+
+**What's in the Rules File:**
+- Enable/disable domain squatting detection
+- Default protected domains list
+- Detection rules and patterns
+
+This separation gives you flexibility - you control the core security settings through your detection rules file, while still allowing policy-based customization for different clients or departments.
+
+### Adding Organization-Specific Domains
+
+{% hint style="info" %}
+**Use the URL Allowlist!**
+
+The easiest way to protect your organization's domains is to add them to the URL Allowlist in Detection Rules settings. This automatically:
+1. Prevents false positives on your internal sites
+2. Protects those domains from squatting attempts
+3. Works without modifying detection rules files
+{% endhint %}
+
+**Example:** Adding `https://contoso.com/*` to your allowlist protects against fake domains like:
+- `cont0so.com` (zero instead of o)
+- `contos0.com` (zero at the end)
+- `login-contoso.com` (suspicious prefix)
+
+### CIPP Reporting and Webhooks
+
+Domain squatting detections are automatically reported through your existing Check monitoring:
+
+- **Activity Logs**: View all domain squatting warnings and blocks
+- **CIPP Integration**: Squatting detections appear in your CIPP logbook
+- **Webhooks**: Configure webhooks to receive `domain_squatting_detected` events
+
+See [General Settings](../settings/general.md) for configuring reporting and webhooks.
+
+## Troubleshooting
+
+### "Check blocked a legitimate site"
+
+If Check blocks a site you trust:
+
+1. **Add it to your URL Allowlist** in Detection Rules settings
+2. The site will be both allowed and protected from squatting
+3. Report the false positive to help improve Check
+
+### "A phishing site wasn't detected"
+
+Domain squatting detection works alongside Check's other phishing protections. If a site gets through:
+
+1. Use "Report False Negative" if you encounter a phishing site
+2. Check will update rules to catch it in the future
+3. Your report helps protect the entire community
+
+### "Settings are grayed out"
+
+If you can't see or change domain squatting settings, your IT department has configured these centrally. This is normal for managed deployments - contact your IT team if you need adjustments.
+
+## Related Documentation
+
+- [Detection Rules](../settings/detection-rules.md) - Configure your URL allowlist
+- [General Settings](../settings/general.md) - Set up reporting and webhooks
+- [Enterprise Deployment](../deployment/) - Deploy Check across your organization
+- [Creating Detection Rules](../advanced/creating-detection-rules.md) - Advanced rule customization
diff --git a/docs/settings/detection-rules.md b/docs/settings/detection-rules.md
index 4f3c466..1babb7b 100644
--- a/docs/settings/detection-rules.md
+++ b/docs/settings/detection-rules.md
@@ -41,6 +41,14 @@ MSPs and IT departments commonly need to exclude phishing training platforms (li
Add URLs or patterns that should be excluded from phishing detection. This is useful for internal company sites or trusted third-party services that might trigger false positives.
+**Dual Protection:** Your allowlist serves two purposes:
+1. **Prevents false positives** - Sites you add won't be flagged as phishing
+2. **Domain squatting protection** - Domains extracted from your allowlist are automatically protected against typosquatting and look-alike attacks
+
+For example, adding `https://yourcompany.com/*` will both allow that site AND protect against fake domains like `yourcompany.net`, `your-company.com`, or `y0urcompany.com`.
+
+Learn more about [Domain Squatting Detection](../features/domain-squatting-detection.md).
+
**How it works:** Your allowlist patterns are **added to** (not replacing) the default CyberDrain exclusions, providing additional protection without losing baseline coverage.
You can use:
diff --git a/logs forced re-scan.txt b/logs forced re-scan.txt
new file mode 100644
index 0000000..7bf2813
--- /dev/null
+++ b/logs forced re-scan.txt
@@ -0,0 +1,161 @@
+[M365-Protection] 📊 POPUP REQUEST: Using fallback detection - unknown
+content.js:88 [M365-Protection] 🔄 POPUP REQUEST: Re-triggering analysis (forced)
+content.js:88 [M365-Protection] 🔄 FORCED RE-SCAN: User manually triggered re-scan from popup
+content.js:88 [M365-Protection] 🚀 Starting protection analysis (re-run) for https://sass.fraigutra.ai.in/a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/
+content.js:88 [M365-Protection] 📄 Page info: 724 elements, 553666 chars content
+content.js:88 [M365-Protection] Page blocking disabled in settings - running analysis only (no protective action)
+content.js:88 [M365-Protection] 🔄 Forced re-scan initiated (scan count: 3)
+content.js:88 [M365-Protection] Starting rule-driven Microsoft 365 protection (scan #3), protection DISABLED
+content.js:88 [M365-Protection] Console capture enabled (developer mode active)
+content.js:88 [M365-Protection] Checking origin: "https://sass.fraigutra.ai.in"
+content.js:88 [M365-Protection] Trusted login patterns: Array(7)
+content.js:88 [M365-Protection] Microsoft domain patterns: Array(24)
+content.js:88 [M365-Protection] Is trusted login domain: false
+content.js:88 [M365-Protection] Is Microsoft domain: false
+content.js:88 [M365-Protection] ❌ NON-TRUSTED ORIGIN - Continuing analysis
+content.js:88 [M365-Protection] Origin "https://sass.fraigutra.ai.in" not in trusted login patterns
+content.js:88 [M365-Protection] Expected to match pattern like: "^https://login\.microsoftonline\.com$"
+content.js:88 [M365-Protection] Trusted login patterns loaded: YES
+content.js:88 [M365-Protection] Analyzing domain "sass.fraigutra.ai.in" - proceeding with content-based detection
+content.js:88 [M365-Protection] ✗ Missing primary element: idPartnerPL
+content.js:88 [M365-Protection] ✗ Missing primary element: loginfmt
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_msauth
+content.js:88 [M365-Protection] ✗ Missing primary element: urlMsaSignUp
+content.js:88 [M365-Protection] ✗ Missing primary element: i0116_element
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_background_image
+content.js:88 [M365-Protection] ✗ Missing secondary element: page_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_description_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_og_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: favicon_microsoft
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_form_dimensions (weight: 0.5)
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_button_colors (weight: 1.5)
+content.js:88 [M365-Protection] ✗ Missing secondary element: segoe_ui_font
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_container_layout (weight: 0.5)
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_external_css
+content.js:88 [M365-Protection] ✓ Found secondary element: password_input_field (weight: 0.5)
+content.js:88 [M365-Protection] ✓ Found secondary element: login_form_element (weight: 0.5)
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_login_placeholder_text (weight: 1)
+content.js:88 [M365-Protection] 🔍 High-confidence Microsoft elements detected (Weight: 4.5, Elements: 6) - will check phishing indicators
+content.js:88 [M365-Protection] ⚠️ Microsoft elements detected but not full login page - checking for phishing indicators
+content.js:88 [M365-Protection] 🔍 processPhishingIndicators: detectionRules available: true
+content.js:88 [M365-Protection] 🔍 Testing 27 phishing indicators against:
+content.js:88 [M365-Protection] - Page source length: 718647 chars
+content.js:88 [M365-Protection] - Page text length: 553666 chars
+content.js:88 [M365-Protection] - Current URL: https://sass.fraigutra.ai.in/a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/
+content.js:88 [M365-Protection] - Injected elements excluded: 0
+content.js:88 [M365-Protection] 📋 All 27 indicators loaded:
+content.js:88 [M365-Protection] 1. phi_001: (?:secure-?(?:microsoft|office|365|outlook)) (high)
+content.js:88 [M365-Protection] 2. phi_031_suspicious_query_length_combined: [code-driven: unknown] (medium)
+content.js:88 [M365-Protection] 3. phi_033_suspicious_event_listeners: [code-driven: pattern_count] (high)
+content.js:88 [M365-Protection] 4. phi_004: [code-driven: all_of] (medium)
+content.js:88 [M365-Protection] 5. phi_005: data:text/html.*(?:microsoft|office|365|outlook).*... (critical)
+content.js:88 [M365-Protection] 6. phi_007: \*customcss.*(?!aadcdn\.msftauthimages\.net) (high)
+content.js:88 [M365-Protection] 7. phi_012_suspicious_resources: [code-driven: resource_from_domain] (high)
+content.js:88 [M365-Protection] 8. phi_006: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 9. phi_010_aad_fingerprint: [code-driven: all_of] (critical)
+content.js:88 [M365-Protection] 10. phi_011_missing_elements: (?:microsoft|office|365).{0,2000}(?:type=["']passw... (high)
+content.js:88 [M365-Protection] 11. phi_013_form_action_mismatch: [code-driven: all_of] (critical)
+content.js:88 [M365-Protection] 12. phi_014_devtools_blocking: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 13. phi_015_code_obfuscation: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 14. phi_008: content-security-policy-report-only.*(?!.*msauth\.... (critical)
+content.js:88 [M365-Protection] 15. phi_019_malicious_obfuscation: (?:(?:var|let|const)\s+\w+\s*=\s*(?:atob|unescape)... (critical)
+content.js:88 [M365-Protection] 16. phi_001_enhanced: [code-driven: has_but_not] (critical)
+content.js:88 [M365-Protection] 17. phi_002: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 18. phi_003: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 19. phi_020_grammar_typos: [code-driven: substring_count] (medium)
+content.js:88 [M365-Protection] 20. phi_021_suspicious_url_structure: (?<=://[^/]+)(?:/[a-zA-Z0-9]{20,}(?:/[a-zA-Z0-9]{8... (medium)
+content.js:88 [M365-Protection] 21. phi_022_obfuscated_script_names: (?:src=["'][^"']*[a-zA-Z0-9]{12,20}\.js["']|[a-zA-... (medium)
+content.js:88 [M365-Protection] 22. phi_017_microsoft_brand_abuse: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 23. phi_023_css_selection_blocking: [code-driven: substring_present] (low)
+content.js:88 [M365-Protection] 24. phi_024_randomized_css_classes: class\s*=\s*["'][a-z]+_[a-z]+_\d{3}["'] (medium)
+content.js:88 [M365-Protection] 25. phi_025_honeypot_fields: (?:position\s*:\s*absolute\s*!important\s*;[^}]*le... (low)
+content.js:88 [M365-Protection] 26. phi_029_fake_dead_links: [code-driven: pattern_count] (medium)
+content.js:88 [M365-Protection] 27. phi_030_empty_tag_obfuscation: [code-driven: pattern_count] (medium)
+content.js:88 [M365-Protection] ⏱️ PERF: Attempting background processing with Web Worker
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 0/27 - phi_001
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 3/27 - phi_004
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 6/27 - phi_012_suspicious_resources
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 9/27 - phi_011_missing_elements
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 12/27 - phi_015_code_obfuscation
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 15/27 - phi_001_enhanced
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 18/27 - phi_020_grammar_typos
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 21/27 - phi_017_microsoft_brand_abuse
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 24/27 - phi_025_honeypot_fields
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing completed successfully in 568ms
+content.js:88 [M365-Protection] ⏱️ Phishing indicators check (Web Worker): 18 threats found, score: 233, processing time: 568ms
+content.js:88 [M365-Protection] 🚨 PHISHING INDICATORS FOUND on non-Microsoft page: 18 threats
+(anonymous) @ content.js:88
+content.js:88 [M365-Protection] 📋 Detailed threat breakdown:
+content.js:88 [M365-Protection] 1. [MEDIUM] phi_031_suspicious_query_length_combined (confidence: 0.7)
+content.js:88 [M365-Protection] Suspiciously long query parameter value in URL, Microsoft branding, and password field or form present (possible phishing)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 2. [HIGH] phi_033_suspicious_event_listeners (confidence: 0.9)
+content.js:88 [M365-Protection] Form with submit listeners that modify action attribute
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 3. [MEDIUM] phi_004 (confidence: 0.65)
+content.js:88 [M365-Protection] Urgency tactics targeting Microsoft users
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 4. [HIGH] phi_012_suspicious_resources (confidence: 0.9)
+content.js:88 [M365-Protection] Custom CSS loaded from unauthorized domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 5. [HIGH] phi_006 (confidence: 0.8)
+content.js:88 [M365-Protection] Microsoft-branded login form not posting to Microsoft domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 6. [CRITICAL] phi_010_aad_fingerprint (confidence: 0.98)
+content.js:88 [M365-Protection] AAD-like login interface on non-Microsoft domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 7. [HIGH] phi_011_missing_elements (confidence: 0.85)
+content.js:88 [M365-Protection] Microsoft branding without required authentication elements
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 8. [CRITICAL] phi_013_form_action_mismatch (confidence: 0.95)
+content.js:88 [M365-Protection] Microsoft-branded password form with non-Microsoft action
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 9. [HIGH] phi_014_devtools_blocking (confidence: 0.9)
+content.js:88 [M365-Protection] Page attempts to block or detect developer tools usage
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 10. [HIGH] phi_015_code_obfuscation (confidence: 0.85)
+content.js:88 [M365-Protection] Page contains suspicious JavaScript obfuscation patterns commonly used in malware
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 11. [CRITICAL] phi_001_enhanced (confidence: 0.95)
+content.js:88 [M365-Protection] Enhanced detection of domains mimicking Microsoft services with security/login keywords (excludes legitimate SSO)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 12. [HIGH] phi_002 (confidence: 0.85)
+content.js:88 [M365-Protection] Impersonation of Microsoft security team (excludes legitimate SSO and third-party auth)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 13. [HIGH] phi_003 (confidence: 0.85)
+content.js:88 [M365-Protection] Common Microsoft 365 phishing keywords and variations
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 14. [MEDIUM] phi_020_grammar_typos (confidence: 0.7)
+content.js:88 [M365-Protection] Multiple grammar/spelling errors indicative of phishing
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 15. [HIGH] phi_017_microsoft_brand_abuse (confidence: 0.95)
+content.js:88 [M365-Protection] Microsoft branding combined with authentication terms on non-Microsoft domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 16. [LOW] phi_023_css_selection_blocking (confidence: 0.85)
+content.js:88 [M365-Protection] CSS prevents text selection - anti-analysis technique (supporting evidence - should not block alone)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 17. [MEDIUM] phi_029_fake_dead_links (confidence: 0.95)
+content.js:88 [M365-Protection] Obfuscated links with empty tags - phishing technique (supporting evidence - should not block alone)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 18. [MEDIUM] phi_030_empty_tag_obfuscation (confidence: 0.9)
+content.js:88 [M365-Protection] Multiple empty tags used to obfuscate text (supporting evidence - should not block alone)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] ⚠️ PROTECTION DISABLED: Would block critical threats but showing warning banner instead
+(anonymous) @ content.js:88
+content.js:88 [M365-Protection] Registered injected element: DIV#ms365-warning-banner
+content.js:88 [M365-Protection] Registered injected element: DIV#no-id
+content.js:88 [M365-Protection] Registered injected element: DIV#check-banner-left
+content.js:88 [M365-Protection] Registered injected element: DIV#no-id
+content.js:88 [M365-Protection] Registered injected element: SPAN#no-id
+content.js:88 [M365-Protection] Registered injected element: STRONG#no-id
+content.js:88 [M365-Protection] Registered injected element: SMALL#no-id
+content.js:88 [M365-Protection] Registered injected element: BUTTON#no-id
+content.js:88 [M365-Protection] Warning banner displayed and all elements registered for exclusion
+content.js:88 [M365-Protection] Registered injected element: DIV#check-banner-branding
+content.js:88 [M365-Protection] Registered injected element: IMG#no-id
+content.js:88 [M365-Protection] Registered injected element: DIV#no-id
+content.js:88 [M365-Protection] Registered injected element: SPAN#no-id
+content.js:88 [M365-Protection] CIPP reporting disabled or no server URL configured
+content.js:88 [M365-Protection] 📊 POPUP REQUEST: Returning stored detection results - blocked
+content.js:88 [M365-Protection] DOM monitoring stopped
+content.js:88 [M365-Protection] 🛑 DOM monitoring timeout reached - stopping
\ No newline at end of file
diff --git a/losg natural scan.txt b/losg natural scan.txt
new file mode 100644
index 0000000..eb6abfa
--- /dev/null
+++ b/losg natural scan.txt
@@ -0,0 +1,292 @@
+content.js:88 [M365-Protection] Console capture enabled (developer mode active)
+content.js:88 [M365-Protection] Loaded detection rules from background script cache
+content.js:88 [M365-Protection] Set up 7 trusted login patterns from cache
+content.js:88 [M365-Protection] Set up 24 Microsoft domain patterns from cache
+content.js:88 [M365-Protection] Checking origin: "https://sass.fraigutra.ai.in"
+content.js:88 [M365-Protection] Trusted login patterns: Array(7)
+content.js:88 [M365-Protection] Microsoft domain patterns: Array(24)
+content.js:88 [M365-Protection] Is trusted login domain: false
+content.js:88 [M365-Protection] Is Microsoft domain: false
+content.js:88 [M365-Protection] ❌ NON-TRUSTED ORIGIN - Continuing analysis
+content.js:88 [M365-Protection] Origin "https://sass.fraigutra.ai.in" not in trusted login patterns
+content.js:88 [M365-Protection] Expected to match pattern like: "^https://login\.microsoftonline\.com$"
+content.js:88 [M365-Protection] Trusted login patterns loaded: YES
+content.js:88 [M365-Protection] Analyzing domain "sass.fraigutra.ai.in" - proceeding with content-based detection
+content.js:88 [M365-Protection] ✗ Missing primary element: idPartnerPL
+content.js:88 [M365-Protection] ✗ Missing primary element: loginfmt
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_msauth
+content.js:88 [M365-Protection] ✗ Missing primary element: urlMsaSignUp
+content.js:88 [M365-Protection] ✗ Missing primary element: i0116_element
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_background_image
+content.js:88 [M365-Protection] ✗ Missing secondary element: page_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_description_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_og_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: favicon_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_form_dimensions
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_button_colors
+content.js:88 [M365-Protection] ✗ Missing secondary element: segoe_ui_font
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_container_layout
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_external_css
+content.js:88 [M365-Protection] ✗ Missing secondary element: password_input_field
+content.js:88 [M365-Protection] ✗ Missing secondary element: login_form_element
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_login_placeholder_text
+content.js:88 [M365-Protection] 📄 Insufficient Microsoft indicators (Weight: 0, Elements: 0, Primary: 0) - skipping phishing indicators for performance
+content.js:88 [M365-Protection] ✅ Page analysis result: Site appears legitimate (not Microsoft-related, no phishing indicators checked)
+content.js:88 [M365-Protection] � Setting up DOM monitoring - phishing pages may inject Microsoft content dynamically
+content.js:88 [M365-Protection] Setting up DOM monitoring for delayed content
+content.js:88 [M365-Protection] Current page has 12 elements
+content.js:88 [M365-Protection] Page title: ""
+content.js:88 [M365-Protection] Body content length: 1187 chars
+content.js:88 [M365-Protection] 🔍 Dynamic script monitoring enabled
+VM13:66 A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
+eval @ VM13:66
+VM13:66 A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
+eval @ VM13:66
+VM9:1 A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
+(anonymous) @ VM9:1
+content.js:88 [M365-Protection] DOM mutation: Adding script element
+content.js:88 [M365-Protection] DOM change detected: script element added - triggering re-scan
+content.js:88 [M365-Protection] 🔄 Significant DOM changes detected - scheduling protection analysis (debounced)
+content.js:88 [M365-Protection] Page now has 27 elements
+a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/:1 Tracking Prevention blocked access to storage for https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js.
+a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/:1 Tracking Prevention blocked access to storage for https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js.
+a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/:1 Tracking Prevention blocked access to storage for https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js.
+a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/:1 Tracking Prevention blocked access to storage for https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js.
+content.js:88 [M365-Protection] 🚀 Starting protection analysis (re-run) for https://sass.fraigutra.ai.in/a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/
+content.js:88 [M365-Protection] 📄 Page info: 27 elements, 461315 chars content
+content.js:88 [M365-Protection] Page blocking disabled in settings - running analysis only (no protective action)
+content.js:88 [M365-Protection] Page source changed: 2277:2867677973 -> 467427:2361889222
+content.js:88 [M365-Protection] Starting rule-driven Microsoft 365 protection (scan #2), protection DISABLED
+content.js:88 [M365-Protection] Console capture enabled (developer mode active)
+content.js:88 [M365-Protection] Checking origin: "https://sass.fraigutra.ai.in"
+content.js:88 [M365-Protection] Trusted login patterns: Array(7)
+content.js:88 [M365-Protection] Microsoft domain patterns: Array(24)
+content.js:88 [M365-Protection] Is trusted login domain: false
+content.js:88 [M365-Protection] Is Microsoft domain: false
+content.js:88 [M365-Protection] ❌ NON-TRUSTED ORIGIN - Continuing analysis
+content.js:88 [M365-Protection] Origin "https://sass.fraigutra.ai.in" not in trusted login patterns
+content.js:88 [M365-Protection] Expected to match pattern like: "^https://login\.microsoftonline\.com$"
+content.js:88 [M365-Protection] Trusted login patterns loaded: YES
+content.js:88 [M365-Protection] Analyzing domain "sass.fraigutra.ai.in" - proceeding with content-based detection
+content.js:88 [M365-Protection] ✗ Missing primary element: idPartnerPL
+content.js:88 [M365-Protection] ✗ Missing primary element: loginfmt
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_msauth
+content.js:88 [M365-Protection] ✗ Missing primary element: urlMsaSignUp
+content.js:88 [M365-Protection] ✗ Missing primary element: i0116_element
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_background_image
+content.js:88 [M365-Protection] ✗ Missing secondary element: page_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_description_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_og_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: favicon_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_form_dimensions
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_button_colors
+content.js:88 [M365-Protection] ✗ Missing secondary element: segoe_ui_font
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_container_layout
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_external_css
+content.js:88 [M365-Protection] ✗ Missing secondary element: password_input_field
+content.js:88 [M365-Protection] ✗ Missing secondary element: login_form_element
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_login_placeholder_text
+content.js:88 [M365-Protection] 📄 Insufficient Microsoft indicators (Weight: 0, Elements: 0, Primary: 0) - skipping phishing indicators for performance
+content.js:88 [M365-Protection] ✅ Page analysis result: Site appears legitimate (not Microsoft-related, no phishing indicators checked)
+content.js:88 [M365-Protection] � Setting up DOM monitoring - phishing pages may inject Microsoft content dynamically
+content.js:88 [M365-Protection] ⏰ Fallback timer detected significant content - re-running analysis (check 2/5)
+content.js:88 [M365-Protection] 🚀 Starting protection analysis (re-run) for https://sass.fraigutra.ai.in/a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/
+content.js:88 [M365-Protection] 📄 Page info: 557 elements, 532580 chars content
+content.js:88 [M365-Protection] Page blocking disabled in settings - running analysis only (no protective action)
+content.js:88 [M365-Protection] Page source changed: 467427:2361889222 -> 601514:2584326084
+content.js:88 [M365-Protection] Starting rule-driven Microsoft 365 protection (scan #3), protection DISABLED
+content.js:88 [M365-Protection] Console capture enabled (developer mode active)
+content.js:88 [M365-Protection] Checking origin: "https://sass.fraigutra.ai.in"
+content.js:88 [M365-Protection] Trusted login patterns: Array(7)
+content.js:88 [M365-Protection] Microsoft domain patterns: Array(24)
+content.js:88 [M365-Protection] Is trusted login domain: false
+content.js:88 [M365-Protection] Is Microsoft domain: false
+content.js:88 [M365-Protection] ❌ NON-TRUSTED ORIGIN - Continuing analysis
+content.js:88 [M365-Protection] Origin "https://sass.fraigutra.ai.in" not in trusted login patterns
+content.js:88 [M365-Protection] Expected to match pattern like: "^https://login\.microsoftonline\.com$"
+content.js:88 [M365-Protection] Trusted login patterns loaded: YES
+content.js:88 [M365-Protection] Analyzing domain "sass.fraigutra.ai.in" - proceeding with content-based detection
+content.js:88 [M365-Protection] ✗ Missing primary element: idPartnerPL
+content.js:88 [M365-Protection] ✗ Missing primary element: loginfmt
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_msauth
+content.js:88 [M365-Protection] ✗ Missing primary element: urlMsaSignUp
+content.js:88 [M365-Protection] ✗ Missing primary element: i0116_element
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_background_image
+content.js:88 [M365-Protection] ✗ Missing secondary element: page_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_description_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_og_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: favicon_microsoft
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_form_dimensions (weight: 0.5)
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_button_colors
+content.js:88 [M365-Protection] ✗ Missing secondary element: segoe_ui_font
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_container_layout (weight: 0.5)
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_external_css
+content.js:88 [M365-Protection] ✗ Missing secondary element: password_input_field
+content.js:88 [M365-Protection] ✗ Missing secondary element: login_form_element
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_login_placeholder_text
+content.js:88 [M365-Protection] 📄 Insufficient Microsoft indicators (Weight: 1, Elements: 2, Primary: 0) - skipping phishing indicators for performance
+content.js:88 [M365-Protection] ✅ Page analysis result: Site appears legitimate (not Microsoft-related, no phishing indicators checked)
+content.js:88 [M365-Protection] � Setting up DOM monitoring - phishing pages may inject Microsoft content dynamically
+/id9aLSPMH2qQzoEiID9D4FsZHOFwugwsnfktiqAw01U9fFEtALghuEpe:1 Failed to load resource: the server responded with a status of 404 ()
+content.js:88 [M365-Protection] ⏰ Fallback timer detected significant content - re-running analysis (check 3/5)
+content.js:88 [M365-Protection] 🚀 Starting protection analysis (re-run) for https://sass.fraigutra.ai.in/a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/
+content.js:88 [M365-Protection] 📄 Page info: 722 elements, 553567 chars content
+content.js:88 [M365-Protection] Page blocking disabled in settings - running analysis only (no protective action)
+content.js:88 [M365-Protection] Page source changed: 601514:2584326084 -> 718294:2325107531
+content.js:88 [M365-Protection] Starting rule-driven Microsoft 365 protection (scan #4), protection DISABLED
+content.js:88 [M365-Protection] Console capture enabled (developer mode active)
+content.js:88 [M365-Protection] Checking origin: "https://sass.fraigutra.ai.in"
+content.js:88 [M365-Protection] Trusted login patterns: Array(7)
+content.js:88 [M365-Protection] Microsoft domain patterns: Array(24)
+content.js:88 [M365-Protection] Is trusted login domain: false
+content.js:88 [M365-Protection] Is Microsoft domain: false
+content.js:88 [M365-Protection] ❌ NON-TRUSTED ORIGIN - Continuing analysis
+content.js:88 [M365-Protection] Origin "https://sass.fraigutra.ai.in" not in trusted login patterns
+content.js:88 [M365-Protection] Expected to match pattern like: "^https://login\.microsoftonline\.com$"
+content.js:88 [M365-Protection] Trusted login patterns loaded: YES
+content.js:88 [M365-Protection] Analyzing domain "sass.fraigutra.ai.in" - proceeding with content-based detection
+content.js:88 [M365-Protection] ✗ Missing primary element: idPartnerPL
+content.js:88 [M365-Protection] ✗ Missing primary element: loginfmt
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_msauth
+content.js:88 [M365-Protection] ✗ Missing primary element: urlMsaSignUp
+content.js:88 [M365-Protection] ✗ Missing primary element: i0116_element
+content.js:88 [M365-Protection] ✗ Missing primary element: aadcdn_background_image
+content.js:88 [M365-Protection] ✗ Missing secondary element: page_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_description_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: meta_og_title_microsoft
+content.js:88 [M365-Protection] ✗ Missing secondary element: favicon_microsoft
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_form_dimensions (weight: 0.5)
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_button_colors (weight: 1.5)
+content.js:88 [M365-Protection] ✗ Missing secondary element: segoe_ui_font
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_container_layout (weight: 0.5)
+content.js:88 [M365-Protection] ✗ Missing secondary element: ms_external_css
+content.js:88 [M365-Protection] ✓ Found secondary element: password_input_field (weight: 0.5)
+content.js:88 [M365-Protection] ✓ Found secondary element: login_form_element (weight: 0.5)
+content.js:88 [M365-Protection] ✓ Found secondary element: ms_login_placeholder_text (weight: 1)
+content.js:88 [M365-Protection] 🔍 High-confidence Microsoft elements detected (Weight: 4.5, Elements: 6) - will check phishing indicators
+content.js:88 [M365-Protection] ⚠️ Microsoft elements detected but not full login page - checking for phishing indicators
+content.js:88 [M365-Protection] 🔍 processPhishingIndicators: detectionRules available: true
+content.js:88 [M365-Protection] 🔍 Testing 27 phishing indicators against:
+content.js:88 [M365-Protection] - Page source length: 718294 chars
+content.js:88 [M365-Protection] - Page text length: 553567 chars
+content.js:88 [M365-Protection] - Current URL: https://sass.fraigutra.ai.in/a6dp3btdlbucn?4cb80078830f9112a-b9830f36eb056ff3b8ac1fcddfe67/
+content.js:88 [M365-Protection] - Injected elements excluded: 0
+content.js:88 [M365-Protection] 📋 All 27 indicators loaded:
+content.js:88 [M365-Protection] 1. phi_001: (?:secure-?(?:microsoft|office|365|outlook)) (high)
+content.js:88 [M365-Protection] 2. phi_031_suspicious_query_length_combined: [code-driven: unknown] (medium)
+content.js:88 [M365-Protection] 3. phi_033_suspicious_event_listeners: [code-driven: pattern_count] (high)
+content.js:88 [M365-Protection] 4. phi_004: [code-driven: all_of] (medium)
+content.js:88 [M365-Protection] 5. phi_005: data:text/html.*(?:microsoft|office|365|outlook).*... (critical)
+content.js:88 [M365-Protection] 6. phi_007: \*customcss.*(?!aadcdn\.msftauthimages\.net) (high)
+content.js:88 [M365-Protection] 7. phi_012_suspicious_resources: [code-driven: resource_from_domain] (high)
+content.js:88 [M365-Protection] 8. phi_006: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 9. phi_010_aad_fingerprint: [code-driven: all_of] (critical)
+content.js:88 [M365-Protection] 10. phi_011_missing_elements: (?:microsoft|office|365).{0,2000}(?:type=["']passw... (high)
+content.js:88 [M365-Protection] 11. phi_013_form_action_mismatch: [code-driven: all_of] (critical)
+content.js:88 [M365-Protection] 12. phi_014_devtools_blocking: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 13. phi_015_code_obfuscation: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 14. phi_008: content-security-policy-report-only.*(?!.*msauth\.... (critical)
+content.js:88 [M365-Protection] 15. phi_019_malicious_obfuscation: (?:(?:var|let|const)\s+\w+\s*=\s*(?:atob|unescape)... (critical)
+content.js:88 [M365-Protection] 16. phi_001_enhanced: [code-driven: has_but_not] (critical)
+content.js:88 [M365-Protection] 17. phi_002: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 18. phi_003: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 19. phi_020_grammar_typos: [code-driven: substring_count] (medium)
+content.js:88 [M365-Protection] 20. phi_021_suspicious_url_structure: (?<=://[^/]+)(?:/[a-zA-Z0-9]{20,}(?:/[a-zA-Z0-9]{8... (medium)
+content.js:88 [M365-Protection] 21. phi_022_obfuscated_script_names: (?:src=["'][^"']*[a-zA-Z0-9]{12,20}\.js["']|[a-zA-... (medium)
+content.js:88 [M365-Protection] 22. phi_017_microsoft_brand_abuse: [code-driven: all_of] (high)
+content.js:88 [M365-Protection] 23. phi_023_css_selection_blocking: [code-driven: substring_present] (low)
+content.js:88 [M365-Protection] 24. phi_024_randomized_css_classes: class\s*=\s*["'][a-z]+_[a-z]+_\d{3}["'] (medium)
+content.js:88 [M365-Protection] 25. phi_025_honeypot_fields: (?:position\s*:\s*absolute\s*!important\s*;[^}]*le... (low)
+content.js:88 [M365-Protection] 26. phi_029_fake_dead_links: [code-driven: pattern_count] (medium)
+content.js:88 [M365-Protection] 27. phi_030_empty_tag_obfuscation: [code-driven: pattern_count] (medium)
+content.js:88 [M365-Protection] ⏱️ PERF: Attempting background processing with Web Worker
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 0/27 - phi_001
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 3/27 - phi_004
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 6/27 - phi_012_suspicious_resources
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 9/27 - phi_011_missing_elements
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 12/27 - phi_015_code_obfuscation
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 15/27 - phi_001_enhanced
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 18/27 - phi_020_grammar_typos
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 21/27 - phi_017_microsoft_brand_abuse
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing 24/27 - phi_025_honeypot_fields
+content.js:88 [M365-Protection] ⏱️ PERF: Background processing completed successfully in 735ms
+content.js:88 [M365-Protection] ⏱️ Phishing indicators check (Web Worker): 18 threats found, score: 233, processing time: 735ms
+content.js:88 [M365-Protection] 🚨 PHISHING INDICATORS FOUND on non-Microsoft page: 18 threats
+(anonymous) @ content.js:88
+content.js:88 [M365-Protection] 📋 Detailed threat breakdown:
+content.js:88 [M365-Protection] 1. [MEDIUM] phi_031_suspicious_query_length_combined (confidence: 0.7)
+content.js:88 [M365-Protection] Suspiciously long query parameter value in URL, Microsoft branding, and password field or form present (possible phishing)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 2. [HIGH] phi_033_suspicious_event_listeners (confidence: 0.9)
+content.js:88 [M365-Protection] Form with submit listeners that modify action attribute
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 3. [MEDIUM] phi_004 (confidence: 0.65)
+content.js:88 [M365-Protection] Urgency tactics targeting Microsoft users
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 4. [HIGH] phi_012_suspicious_resources (confidence: 0.9)
+content.js:88 [M365-Protection] Custom CSS loaded from unauthorized domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 5. [HIGH] phi_006 (confidence: 0.8)
+content.js:88 [M365-Protection] Microsoft-branded login form not posting to Microsoft domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 6. [CRITICAL] phi_010_aad_fingerprint (confidence: 0.98)
+content.js:88 [M365-Protection] AAD-like login interface on non-Microsoft domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 7. [HIGH] phi_011_missing_elements (confidence: 0.85)
+content.js:88 [M365-Protection] Microsoft branding without required authentication elements
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 8. [CRITICAL] phi_013_form_action_mismatch (confidence: 0.95)
+content.js:88 [M365-Protection] Microsoft-branded password form with non-Microsoft action
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 9. [HIGH] phi_014_devtools_blocking (confidence: 0.9)
+content.js:88 [M365-Protection] Page attempts to block or detect developer tools usage
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 10. [HIGH] phi_015_code_obfuscation (confidence: 0.85)
+content.js:88 [M365-Protection] Page contains suspicious JavaScript obfuscation patterns commonly used in malware
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 11. [CRITICAL] phi_001_enhanced (confidence: 0.95)
+content.js:88 [M365-Protection] Enhanced detection of domains mimicking Microsoft services with security/login keywords (excludes legitimate SSO)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 12. [HIGH] phi_002 (confidence: 0.85)
+content.js:88 [M365-Protection] Impersonation of Microsoft security team (excludes legitimate SSO and third-party auth)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 13. [HIGH] phi_003 (confidence: 0.85)
+content.js:88 [M365-Protection] Common Microsoft 365 phishing keywords and variations
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 14. [MEDIUM] phi_020_grammar_typos (confidence: 0.7)
+content.js:88 [M365-Protection] Multiple grammar/spelling errors indicative of phishing
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 15. [HIGH] phi_017_microsoft_brand_abuse (confidence: 0.95)
+content.js:88 [M365-Protection] Microsoft branding combined with authentication terms on non-Microsoft domain
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 16. [LOW] phi_023_css_selection_blocking (confidence: 0.85)
+content.js:88 [M365-Protection] CSS prevents text selection - anti-analysis technique (supporting evidence - should not block alone)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 17. [MEDIUM] phi_029_fake_dead_links (confidence: 0.95)
+content.js:88 [M365-Protection] Obfuscated links with empty tags - phishing technique (supporting evidence - should not block alone)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] 18. [MEDIUM] phi_030_empty_tag_obfuscation (confidence: 0.9)
+content.js:88 [M365-Protection] Multiple empty tags used to obfuscate text (supporting evidence - should not block alone)
+content.js:88 [M365-Protection] Matched in: page source
+content.js:88 [M365-Protection] ⚠️ PROTECTION DISABLED: Would block critical threats but showing warning banner instead
+(anonymous) @ content.js:88
+content.js:88 [M365-Protection] Registered injected element: DIV#ms365-warning-banner
+content.js:88 [M365-Protection] Registered injected element: DIV#no-id
+content.js:88 [M365-Protection] Registered injected element: DIV#check-banner-left
+content.js:88 [M365-Protection] Registered injected element: DIV#no-id
+content.js:88 [M365-Protection] Registered injected element: SPAN#no-id
+content.js:88 [M365-Protection] Registered injected element: STRONG#no-id
+content.js:88 [M365-Protection] Registered injected element: SMALL#no-id
+content.js:88 [M365-Protection] Registered injected element: BUTTON#no-id
+content.js:88 [M365-Protection] Warning banner displayed and all elements registered for exclusion
+content.js:88 [M365-Protection] Registered injected element: DIV#check-banner-branding
+content.js:88 [M365-Protection] Registered injected element: IMG#no-id
+content.js:88 [M365-Protection] Registered injected element: DIV#no-id
+content.js:88 [M365-Protection] Registered injected element: SPAN#no-id
+content.js:88 [M365-Protection] CIPP reporting disabled or no server URL configured
+content.js:88 [M365-Protection] 🔍 Fallback timer scanning cleaned page source while banner is displayed
+content.js:88 [M365-Protection] 🛑 runProtection() called but banner already displayed - ignoring re-scan
+content.js:88 [M365-Protection] 📊 POPUP REQUEST: Returning stored detection results - blocked
+content.js:88 [M365-Protection] 🔍 POPUP REQUEST: Getting detection details
+content.js:88 [M365-Protection] DOM monitoring stopped
+content.js:88 [M365-Protection] 🛑 DOM monitoring timeout reached - stopping
\ No newline at end of file
diff --git a/options/options.css b/options/options.css
index 5e4ab92..a81a7aa 100644
--- a/options/options.css
+++ b/options/options.css
@@ -722,6 +722,96 @@ body {
letter-spacing: 0.3px;
}
+/* Collapsible config sections */
+.config-section-collapsible {
+ margin-bottom: 12px;
+ border: 1px solid var(--border-color);
+ border-radius: var(--radius);
+ overflow: hidden;
+ background: var(--surface-color);
+}
+
+.config-section-header {
+ display: flex;
+ align-items: center;
+ justify-content: space-between;
+ padding: 12px 16px;
+ cursor: pointer;
+ user-select: none;
+ background: var(--surface-color);
+ transition: background-color 0.2s ease;
+}
+
+.config-section-header:hover {
+ background: var(--background-color);
+}
+
+.config-section-header-title {
+ font-weight: 600;
+ color: var(--primary-color);
+ font-size: 13px;
+ text-transform: uppercase;
+ letter-spacing: 0.5px;
+ display: flex;
+ align-items: center;
+ gap: 8px;
+}
+
+.config-section-toggle {
+ color: var(--text-muted);
+ font-size: 20px;
+ transition: transform 0.2s ease;
+ line-height: 1;
+ transform: rotate(180deg);
+}
+
+.config-section-collapsible.expanded .config-section-toggle {
+ transform: rotate(90deg);
+}
+
+.config-section-content {
+ max-height: 0;
+ overflow: hidden;
+ transition: max-height 0.6s ease-out;
+}
+
+.config-section-collapsible.expanded .config-section-content {
+ max-height: 2000px; /* Large enough for content */
+ transition: max-height 0.8s ease-in;
+}
+
+.config-section-body {
+ padding: 12px 16px;
+ border-top: 1px solid var(--border-color);
+}
+
+/* Nested collapsible for lists */
+.config-list-toggle {
+ color: var(--primary-color);
+ cursor: pointer;
+ text-decoration: underline;
+ font-size: 12px;
+ margin-top: 8px;
+ display: inline-block;
+ transition: color 0.2s ease;
+}
+
+.config-list-toggle:hover {
+ color: var(--primary-hover);
+}
+
+.config-list-expanded {
+ margin-top: 0;
+ margin-bottom: 8px;
+ padding-left: 0;
+ display: none;
+ transition: all 0.5s ease;
+}
+
+.config-list-expanded.visible {
+ display: block;
+}
+
.config-raw-json {
white-space: pre-wrap;
font-family: 'Monaco', 'Menlo', 'Ubuntu Mono', monospace;
diff --git a/options/options.html b/options/options.html
index 7a69aea..93ea755 100644
--- a/options/options.html
+++ b/options/options.html
@@ -169,6 +169,11 @@
Generic Webhook
Rogue App Detected
+
+
Add URLs or regex patterns to allowlist from detection. Use simple URLs with * wildcards (e.g., https://google.com/*) or advanced regex patterns. These will be added to the exclusion rules without replacing the entire ruleset. This allowlist also protects the extracted domains from typosquatting, homoglyphs, and other domain squatting attacks.