Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
78f1a5b
Better removal script
Zacgoose Apr 8, 2026
72899b2
Merge pull request #141 from Zacgoose/removal-script
Zacgoose Apr 8, 2026
ce180f9
Docs for removal
Zacgoose Apr 8, 2026
c7476b1
Merge pull request #142 from Zacgoose/docs-update-for-removal
Zacgoose Apr 8, 2026
eb327dd
feat: Add interactive setup and detection scripts for Intune deployme…
bmsimp Apr 10, 2026
303e06c
Update enterprise/Setup-Windows-Chrome-and-Edge.ps1
bmsimp Apr 24, 2026
dd26324
Update enterprise/Detect-Windows-Chrome-and-Edge.ps1
bmsimp Apr 24, 2026
0a92b22
Update docs/deployment/chrome-edge-deployment-instructions/windows/do…
bmsimp Apr 24, 2026
c0ea1f2
Update docs/deployment/chrome-edge-deployment-instructions/windows/do…
bmsimp Apr 24, 2026
3b37e2f
Update docs/deployment/chrome-edge-deployment-instructions/windows/do…
bmsimp Apr 24, 2026
53576e6
fix: escape scalar values as single-quoted literals + add missing Int…
bmsimp Apr 24, 2026
a969e4e
fix: coordinated toolbar pin drift detection
bmsimp Apr 24, 2026
6a8f614
fix: validate template replacements + consistent detection diagnostics
bmsimp Apr 24, 2026
da60ec9
Merge pull request #144 from bmsimp/feat/intune-detection-setup
bmsimp Apr 24, 2026
cbf49b3
GITBOOK-72: CIPP Standard Deployment
bmsimp Apr 24, 2026
77d51d5
feat: Add PR validation GitHub Actions workflow
JohnDuprey Apr 29, 2026
2991d1b
Merge branch 'dev' of https://github.com/CyberDrain/Check into dev
JohnDuprey Apr 29, 2026
4556b6d
Update macos.md
josh-ricketts-enable May 20, 2026
8fb6e89
better atim detection
Zacgoose Jun 8, 2026
85d5f4c
atim
Zacgoose Jun 8, 2026
e568792
rule loading changes
Zacgoose Jun 8, 2026
835a541
Update detection-rules.json
Zacgoose Jun 9, 2026
ab58528
Update detection-rules.json
Zacgoose Jun 9, 2026
0485723
Update macos.md
Zacgoose Jun 18, 2026
6e12b46
Merge pull request #154 from josh-ricketts-enable/patch-1
Zacgoose Jun 18, 2026
9e9b562
fix(content): treat domain squatting 'log' action as a distinct state
MWG-Logan Jul 1, 2026
a0cd545
fix(allowlist): match deep-link URLs in urlPatternToRegex
MWG-Logan Jul 1, 2026
2722187
fix(allowlist): restrict deep-link tolerance to host and root URL pat…
MWG-Logan Jul 2, 2026
a70ae59
docs(domain-squatting): document the log detection action
MWG-Logan Jul 2, 2026
2a56d17
fix(docs): phrasing fix
MWG-Logan Jul 2, 2026
e629444
Merge pull request #164 from BezaluLLC/fix/exclusions
Zacgoose Jul 2, 2026
ebd7ced
Update detection-rules.json
Zacgoose Jul 2, 2026
be98d01
Merge branch 'main' into dev
Zacgoose Jul 2, 2026
b4695c2
Update detection-rules.json
Zacgoose Jul 2, 2026
46cd23d
Update domain-squatting-detection.md
Zacgoose Jul 2, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/features/domain-squatting-detection.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,13 +88,14 @@ You don't need to do anything - the protection works automatically in the backgr

### Page Blocking Control

Check has an **"Enable Page Blocking"** setting in the extension options that controls how suspicious pages are handled:
Check has an **"Enable Page Blocking"** setting in the extension options that controls how suspicious pages are handled. The detection **Action** can be one of three values: `block`, `warn`, or `log`.

- **Page Blocking Enabled** + **Action: "block"** = Page is completely blocked with full-page warning
- **Page Blocking Enabled** + **Action: "warn"** = Warning banner shown, page remains accessible
- **Page Blocking Disabled** = Warning banner shown regardless of action setting (never blocks)
- **Action: "log"** = Detection is recorded in Activity Logs and (if configured) sent to reporting and webhooks. No banner and no block are shown to the user, regardless of the Page Blocking setting.
- **Page Blocking Disabled** = Never blocks. If **Show Notifications** is enabled, a `block` or `warn` action shows a warning banner instead; a `log` action stays silent.

This gives you control over whether you want aggressive blocking or just warnings for suspicious domains.
This gives you control over whether you want aggressive blocking, visible warnings, or silent monitoring for suspicious domains.

### For Advanced Users and IT Departments

Expand All @@ -108,8 +109,7 @@ Edit your `rules/detection-rules.json` file to customize:
```json
{
"domain_squatting": {
"enabled": false, // Turn detection on/off (default: false)
"action": "block" // Action when detected: "block" or "warn"
"action": "block" // Action when detected: "block", "warn", or "log"
}
Comment thread
Zacgoose marked this conversation as resolved.
}
```
Expand All @@ -118,7 +118,7 @@ Edit your `rules/detection-rules.json` file to customize:
```json
{
"domain_squatting": {
"action": "block" // "block" = full page block, "warn" = banner only
"action": "block" // "block" = full page block, "warn" = banner only, "log" = silent, telemetry only
}
}
```
Expand Down
14 changes: 12 additions & 2 deletions options/options.js
Original file line number Diff line number Diff line change
Expand Up @@ -1371,9 +1371,19 @@ class CheckOptions {
if (!escaped.startsWith('^')) {
escaped = '^' + escaped;
}
// Add end anchor if pattern doesn't end with wildcard
// Add the end anchor if the pattern does not already end with a wildcard.
// Only a host or root URL pattern (no path beyond an optional single
// trailing slash) gets the tolerant trailing matcher, so patterns that
// include an explicit path stay exact matches and allowlist entries are
// not silently broadened into prefix matches. Kept in sync with the copy
// in scripts/content.js.
if (!pattern.endsWith('*') && !escaped.endsWith('.*')) {
escaped = escaped + '$';
const afterScheme = pattern.replace(/^https?:\/\//i, '');
const firstSlash = afterScheme.indexOf('/');
const isHostOrRoot = firstSlash === -1 || firstSlash === afterScheme.length - 1;
escaped = isHostOrRoot
? escaped.replace(/\/$/, '') + '(?:[/?#].*)?$'
: escaped + '$';
}
return escaped;
}
Expand Down
12 changes: 2 additions & 10 deletions rules/detection-rules.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"version": "1.2.3",
"lastUpdated": "2026-06-08T00:00:00Z",
"version": "1.2.4",
"lastUpdated": "2026-07-02T00:00:00Z",
"description": "Phishing detection logic for identifying phishing attempts targeting Microsoft 365 login pages",
"trusted_login_patterns": [
"^https:\\/\\/login\\.microsoftonline\\.(com|us)$",
Expand Down Expand Up @@ -144,14 +144,6 @@
"weight": 3,
"category": "primary"
},
{
"id": "img_alt_microsoft",
"type": "source_content",
"pattern": "<img[^>]+alt\\s*=\\s*[\"']Microsoft[\"'][^>]*>",
"description": "Image with alt=\"Microsoft\" - durable visual hook used by CSS-clone phishing kits that strip canonical MS DOM hooks",
"weight": 3,
"category": "primary"
},
{
"id": "ms_visible_ux_combo",
"type": "code_driven",
Expand Down
49 changes: 39 additions & 10 deletions scripts/content.js
Original file line number Diff line number Diff line change
Expand Up @@ -3411,9 +3411,25 @@ if (window.checkExtensionLoaded) {
escaped = "^" + escaped;
}

// Add end anchor if pattern doesn't end with wildcard
// Add the end anchor if the pattern does not already end with a wildcard.
//
// Only a host or root URL pattern (no path segment beyond an optional
// single trailing slash) is given the tolerant trailing matcher, so that
// allowlisting a host or root URL also matches deep links such as
// https://host/path. A pattern that includes an explicit path stays an
// exact match, so allowlist entries are not silently broadened into prefix
// matches (for example "https://host/safe" must not also allow
// "https://host/safe/anything"). Suffix tricks such as
// "https://host.evil.com/" still do not match a "https://host/" entry,
// because the tolerated remainder must begin with /, ?, or #.
if (!pattern.endsWith("*") && !escaped.endsWith(".*")) {
escaped = escaped + "$";
const afterScheme = pattern.replace(/^https?:\/\//i, "");
const firstSlash = afterScheme.indexOf("/");
const isHostOrRoot =
firstSlash === -1 || firstSlash === afterScheme.length - 1;
escaped = isHostOrRoot
? escaped.replace(/\/$/, "") + "(?:[/?#].*)?$"
: escaped + "$";
}

return escaped;
Expand Down Expand Up @@ -4247,19 +4263,29 @@ if (window.checkExtensionLoaded) {

// Check if notifications should be shown
const showNotifications = config.showNotifications !== false;

// Determine if we should block the page
// Requires: 1) enablePageBlocking is ON, 2) domain_squatting action is "block"

// Resolve the effective action as a real three-state value:
// 'block' | 'warn' | 'log'. Previously this only checked for
// 'block', which collapsed 'log' into 'warn' (banner + "warned").
// Semantics: warn logs telemetry AND shows a banner; log logs
// telemetry only and shows nothing to the user.
const squattingAction = squattingData.action || 'warn';
logger.debug(` enablePageBlocking: ${config.enablePageBlocking}`);
logger.debug(` squattingData.action: ${squattingData.action}`);
const shouldBlock = squattingData.action === 'block' &&
const shouldBlock = squattingAction === 'block' &&
config.enablePageBlocking !== false;
const outcome = shouldBlock
? "blocked"
: squattingAction === 'log'
? "logged"
: "warned";
logger.debug(` shouldBlock: ${shouldBlock}`);

logger.debug(` outcome: ${outcome}`);

// Log domain squatting detection
logProtectionEvent({
type: "threat_detected",
action: shouldBlock ? "blocked" : "warned",
action: outcome,
url: location.href,
origin: currentOrigin,
reason: `Domain squatting detected: ${squattingData.techniques.map(t => t.description).join('; ')}`,
Expand All @@ -4282,7 +4308,7 @@ if (window.checkExtensionLoaded) {
})),
severity: squattingData.severity,
confidence: squattingData.confidence,
action: shouldBlock ? "blocked" : "warned",
action: outcome,
reason: `Domain squatting detected: ${squattingData.techniques.map(t => t.description).join('; ')}`
});

Expand All @@ -4301,7 +4327,7 @@ if (window.checkExtensionLoaded) {
})),
severity: squattingData.severity,
confidence: squattingData.confidence,
action: shouldBlock ? "blocked" : "warned",
action: outcome,
reason: `Domain squatting detected: ${squattingData.techniques.map(t => t.description).join('; ')}`
},
})
Expand Down Expand Up @@ -4330,6 +4356,9 @@ if (window.checkExtensionLoaded) {
}
);
return; // Stop processing, page is blocked
} else if (squattingAction === 'log') {
// Log-only action: telemetry has already been emitted above.
// Intentionally show nothing to the user. Log must not warn.
} else if (showNotifications) {
// Show warning banner for domain squatting (only if notifications enabled)
const techniquesDesc = squattingData.techniques.map(t =>
Expand Down
Loading