Windows Analysis Report
https://fsgospefx6g2.sg.larksuite.com/wiki/Y7ybwFESRiirQPkoARZlhCyVgFb?

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": true,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": false,
    "brand_spoofing_attempt": false,
    "third_party_hosting": true
}

URL: https://fsgospefx6g2.sg.larksuite.com

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a simple timestamp assignment, which is a common practice for tracking the timing of CSS file downloads. This behavior is low-risk and likely part of a legitimate performance monitoring or analytics implementation."
}

window.cssDownloadEndTime=Date.now();

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a simple performance measurement utility, tracking the start time of server-side rendering (SSR) and the current time. This behavior is common in web development and does not exhibit any high-risk indicators."
}

window.parseStartTime=Date.now(),window.serverSsrStartTime="1736816907458";

{
    "risk_score": 7,
    "reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution via `eval()` and potential data exfiltration. While the script checks for a local host environment, the use of `eval()` to execute remote code is a significant security concern. Additionally, the script disables console logging, which could be used to hide malicious activities. Overall, the combination of these behaviors warrants a high-risk score."
}

!function(){function isLocalHost(){var o=window.location;return o.host.indexOf("localhost")>-1||/^(\d+)\.(\d+)\.(\d+)\.(\d+):(\d+)$/.test(o.host)}if(isLocalHost())try{var xhrObj=new XMLHttpRequest;xhrObj.open("GET","/js/only_dev.js",!1),xhrObj.send(""),eval(xhrObj.responseText)}catch(o){console.error(o)}else{var query=window.location.search.substr(1),consoleQuery=query.match(new RegExp("(^|&)console=([^&]*)(&|$)","i")),shortcutQuery=query.match(new RegExp("(^|&)shortcut=([^&]*)(&|$)","i"));!console||consoleQuery||shortcutQuery||(console.log=function(){},console.warn=function(){},console.info=function(){},console.debug=function(){})}}();

{
    "risk_score": 4,
    "reasoning": "The provided JavaScript snippet demonstrates some moderate-risk behaviors, including the use of custom storage implementations that could potentially be used for data exfiltration or other malicious purposes. However, the intent behind this code is not entirely clear, and it may be a legitimate attempt to work around limitations or issues with the native browser storage APIs. Further investigation would be needed to determine the true nature of this script."
}

!function(){function e(){var e={map:new Map,clear:()=>(e.length=0,e.map.clear()),setItem(t,n){e.map.set(t,n),e.length++},getItem:t=>e.map.get(t),removeItem(t){e.map.delete(t),e.length--},key:t=>Array.from(e.map.keys())[t]||"",length:0};return e}var t=e(),n=e();try{window.localStoageLength=window.localStorage.length,delete window.localStoageLength}catch(e){Object.defineProperty(window,"localStorage",{get:function(){return t}}),Object.defineProperty(window,"sessionStorage",{get:function(){return n}})}}();

{
    "risk_score": 1,
    "reasoning": "This script appears to be a simple error handling and timing mechanism. It checks for the existence of a 'staticCDNErrorHandler' function in the global window object and logs an error message if it's not found. It also records the current timestamp in the 'cssDownloadStartTime' property of the window object. This behavior is consistent with basic web development practices and does not indicate any high-risk activities."
}

window.staticCDNErrorHandler||console.error("not found staticCDNErrorHandler in window"),window.cssDownloadStartTime=Date.now();

{
    "risk_score": 4,
    "reasoning": "The script checks the URL parameters and stores the 'from' parameter value in the session storage. It also checks the user agent for 'windows' or 'LKPDesktop' and adds corresponding CSS classes to the HTML element. This behavior is moderately risky as it involves storing user data (referrer information) and making decisions based on the user agent, which could potentially be used for tracking or other purposes. However, without further context, it does not appear to be overtly malicious."
}

!function(){if(window.location.search.indexOf("from=")>-1){for(var e,t,o=/from=([^&]*)/g;null!==(e=o.exec(window.location.search));)t=e[1];window.sessionStorage.setItem("__ENTER_FROM__",t),t.startsWith("lark.")&&/lark/i.test(navigator.userAgent)&&(window.notTryToReloadCdn=!0)}var n=/windows|win32/i.test(navigator.userAgent),a=/LKPDesktop/i.test(navigator.userAgent),s=document.querySelector("html");n&&(s.className+=" windows"),a&&(s.className+=" lkp")}();

{
    "risk_score": 4,
    "reasoning": "The provided JavaScript snippet appears to be a part of a larger application that collects various user and session-related data, including user agent information, browser type, and other contextual data. While the snippet does not exhibit any clear high-risk behaviors, such as dynamic code execution or data exfiltration, it does engage in moderate-risk activities like external data transmission and aggressive DOM manipulation. Additionally, the use of obfuscated code and the presence of multiple fallback domains raise some concerns. Overall, the script requires further review to ensure that the data collection and transmission practices are transparent and aligned with the application's legitimate purposes."
}

!function(){function e(e,n){for(var o=n.split("."),a=e,t=0;t<o.length&&null!=a;t++)a=a[o[t]];return a}function n(){const n=e(window,"navigator.userAgent");var o=n?n.match(/Chrome|Safari|Firefox|Opera/i):"";return o?o[0]:""}function o(n){var o=window.location;const t=e(window,"navigator.userAgent");var r=(window.name||"").startsWith("MESSAGE_CHANNEL");n.isFeishu=/feishu/i.test(t),n.isLark=n.isFeishu||/lark/i.test(t),n.isFeishuRooms=/FeishuRooms|LarkRooms/i.test(t),n.isInVC=/vc=true/.test((o.search||"").toLowerCase())||n.isLark&&/\sVC\//.test(t),n.isOpendoc=/opendoc=(true|1)/.test((o.search||"").toLowerCase())||/^\/component\//.test(o.pathname||""),n.isFeed=/Feed/i.test(t)||/lark=1/.test(o.search)||/sourceType=feed/.test(o.search),n.isMultiPage=n.isLark&&/multiPage=1/.test(o.search);const s=Boolean(window.larkTabName)||/larkTabName=/.test(o.search);return n.isFromSuperApp=n.isLark&&/superapp/i.test(t)&&!s,n.isFeishuRooms?"VC Room":n.isInVC?"VC":n.isOpendoc?r?"opendoc_applet":"opendoc":r?"applet":n.isMultiPage?"docs_im_container_scene":n.isFeed?"docs_feed":n.isFromSuperApp?"docs_im_container_scene_v2":window.parent!==window?"iframe":a("scene","web")||"none"}function a(e,n){var o=new RegExp("(^|&)"+e+"=([^&]*)(&|$)","i"),a=window.location.search.substr(1).match(o);return(a?decodeURIComponent(a[2]).toLowerCase():"")||n||""}window.htmlCollectEventStart=Date.now(),window.htmlCollectEvent=function(t,r,s,i){if(!(window.matchTeaSample?window.matchTeaSample(t):function(n){try{const o=(e(window,"User.clientFeatures")||{})["ccm.tea_sample"]||!1;if(!o)return!1;const a=o?JSON.parse(o):{},t=a.hasOwnProperty("default")?a.default:1,r=window.localStorage.getItem("sampleUserId"),s=a.hasOwnProperty(n)?a[n]:t;if(r%1e4>=1e4*s)return!0}catch(e){console.error("teaSample error",e)}return!1}(t))){var c,d="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";(r=r||{}).branch||(r.branch=window.scm&&window.scm.branch||""),void 0===r._staging_flag&&(r._staging_flag=!e(window,"local.isE2E")&&(c=e(window,"globalConfig.common.env"),function(){var e=window.location;return e.host.indexOf("localhost")>-1||/^(\d+)\.(\d+)\.(\d+)\.(\d+):(\d+)$/.test(e.host)}()||"online"!==c&&"pre_release"!==c)?1:0),r.path||(r.path=location.pathname.replace(/\/([a-zA-Z0-9]+)$/,"/:token"));var w=e(window,"globalConfig.common.tea"),p={};if(w&&w.open){var _,l="saas"===e(window,"globalConfig.common.channel"),m=e(window,"User.settingsConfig.ccm_platform_tea_config.mg_tea_domain"),u=e(window,"User.settingsConfig.ccm_platform_tea_config.mg_app_id"),g=l&&m&&u,h=g?m:w.config.channel_domain,f=g?u:w.config.appId.doc;if(!r.file_id){var x=e(window,"templateRequestInfo.encryptedToken");x&&(r.file_id=x)}try{_=e(window,"User.encryptedUserId")||window.localStorage.getItem("userUniqueId")}catch(e){}_||(_=d);var v=window.rv_rev,b="",C="";if(v){var y=v.split("-");b=y[1]+"-"+y[2],C=y[3]}var k=e(window,"User.abTest.versions"),S="";k&&k.length>0&&(S=k[0].version_name);var U=e(window,"anonymousAccess.isAnonymousAccess")?"anonymous":"suite",F=e(window,"User.clientFeatures")||{},A=Number(/lark=\w*&?/.test(location.search)),I=[{user:{user_unique_id:_,ssid:"____"},header:{ab_version:S,app_id:f,app_name:"docs",__userless:"true",app_language:e(window,"User.language"),browser:n()},events:[{event:t,local_time_ms:Date.now(),params:JSON.stringify(r)}]}];I.forEach((function(n,t){if(I[t].header.headers={custom:{web_version_date:b,web_version_timestamp:C,web_version:e(window,"scm.version"),web_docx_version:e(window,"scmdocx.version"),web_base_version:e(window,"scmbitable.version"),web_sheet_version:e(window,"scmsheet.version"),web_branch:e(window,"scm.branch"),tpl:e(window,"scm.tpl"),workspace:F["ccm.workspace.next_super"]||F["ccm.workspace.next"]?"next":"legacy",gray_scale:"ga"===e(window,"bearGarr.stageName")?"master":e(window,"scm.branch"),stage_name:e(window,"bearGarr.stageName"),stage_description:e(window,"bearGarr.stageDescription"),brand:e(window,"globalConfig.common.product")||"none",tenant_id:e(i,"tenant_id")||e(window,"User

{
    "risk_score": 4,
    "reasoning": "The provided JavaScript snippet appears to be a configuration object for a web application, likely related to the Lark suite of products. While it contains some potentially sensitive information, such as domain names and API endpoints, there are no clear indicators of malicious behavior. The script seems to be focused on providing common configuration settings and does not exhibit any high-risk behaviors like dynamic code execution, data exfiltration, or suspicious redirects. However, the script does include some moderate-risk indicators, such as external data transmission and the use of multiple fallback domains, which warrant further review. Overall, the risk score is assessed as medium, requiring additional investigation to ensure the configuration is being used in a secure and transparent manner."
}

window.globalConfig=Object({"common":{"abTest":{"ab_channel_domain":"https://abtestvm.bytedance.com"},"brand":{"app_name":"APP_NAME_LARK"},"channel":"saas","domain":{"applink":"applink.larksuite.com","dlp_api":"internal-api-security-sg.larksuite.com","helpcenter":"www.larksuite.com","helpdesk":"helpdesk-sg.larksuite.com","lark_api":"internal-api-lark-api-sg.larksuite.com","lark_file":"internal-api-lark-file-sg.larksuite.com","official":"www.larksuite.com","okr_api":"okr.larksuite.com","open":"open.larksuite.com","open_platform":"internal-api-sg.larksuite.com","open_tpl_service":"larksuitepkg.com","pano":"oa-sg.larksuite.com","passport":"login-sg.larksuite.com","passport_agw_feishu":"login-sg.larksuite.com","passport_agw_lark":"login-sg.larksuite.com","passport_main_domain":"larksuite.com","security":"internal-api-sg.larksuite.com","setting":"internal-api-lark-api-sg.larksuite.com","tnc_fetch_api":"dm.larksuite.com","tnc_sdk":"sf16-unpkg.larksuitecdn.com"},"domainPool":["feishu.net","docs-sg.bytedance.net","feishu.cn","larksuite.com","larkoffice.com","larkenterprise.com","bezo.com"],"env":"online","frontier":{"aid":1191,"appKey":"5a4d135f57bfbf0461ad10cc7f1d3658","fpid":54},"garrMina":{"appId":66,"domain":"open-sg.larksuite.com","pathName":"/config/get","version":"1.0.0"},"helpcenter_article":{"app_share_help":360048488038,"authorized_help":360024166434,"confluence_importing_help":360048488373,"importing_help":360026577593,"incompatible_extension":360036896254,"shimo_importing_help":360026577593,"space_single_container":360048488243,"stickup_help":360044347714,"storage_help":360048488008,"supported_browser":360038195414},"i18nCdnApi":{"domain":"starling.snssdk.com","path":"/get_cdn/2102/"},"mainDomain":"larksuite.com","metrics":{"domain":"api.zjurl.cn","open":true},"mina":{"appId":2,"domain":"open-sg.larksuite.com","pathName":"/config/get","version":"online-1.0"},"product":"lark","rosetta":{"domain":"rosetta-sg.larksuite.com","path":"/rosetta/api/v1/products/29/cdn"},"secLink":{"appId":1161,"open":true},"sentry":{"domain":"ee-sentry.byted.org","mobile":{"domain":"ee-sentry.byted.org","open":true,"organizationSlug":"bytedance-ee","projectSlug":{"doc":"bear_mobile"},"raven":{"dsnDomain":"b2b4fd03e1c94c17bdfee04f4001d617@internal-api-sentry-sg.feishu.cn/normal","ignoreUrls":["bear-test\\.bytedance\\.net","docs-test\\.bytedance\\.net"],"logger":"docs-mobile","projectId":267}},"open":true,"organizationSlug":"bytedance-ee","projectSlug":{"doc":"bear_fe"},"raven":{"bid":{"docs_pc":"docs_pc"},"dsnDomain":"f60ebb5d980b4795ad10d8ca7259dc0e@internal-api-sentry-sg.feishu.cn/normal","ignoreUrls":["bear-test\\.bytedance\\.net"],"logger":{"doc":"docs-fe"},"projectId":{"doc":65}}},"slardar":{"config":{"bid":{"docs_pc":"docs_pc"},"ignoreAjax":["mcs\\.snssdk\\.com","mon-va\\.byteoversea\\.com","api\\.zjurl\\.cn",".*api\\/sheet\\/sht.*"]},"domain":"slardar.bytedance.net","logDomain":"slardar-bd.feishu.cn","mobile":{"config":{"bid":"docs_mobile","ignoreAjax":["mcs\\.snssdk\\.com"],"pid":"index"},"domain":"slardar.bytedance.net","logDomain":"slardar-bd.feishu.cn","open":true,"region":"cn","sdkAddr":"https://lf3-cdn-tos.bytegoofy.com/goofy/slardar/fe/sdk/browser.cn.js"},"open":true,"region":"cn","sdkAddr":"https://lf3-cdn-tos.bytegoofy.com/goofy/slardar/fe/sdk/browser.cn.js"},"slardarWeb":{"bid":"docs_pc","ignoreUrls":["mcs\\.snssdk\\.com","maliva-mcs\\.byteoversea\\.com","mon-va\\.byteoversea\\.com","api\\.zjurl\\.cn",".*api\\/sheet\\/sht.*","mcs-bd.*","slardar-bd.*"],"open":true,"sdkAddr":"https://sf16-short-sg.bytedapm.com/slardar/fe/sdk-web/browser.sg.js"},"tea":{"api":{"report":"/v1/list"},"config":{"appId":{"doc":1229,"drive_sdk":2331,"single_product":2916},"channel_domain":"https://mcs-bd-sg.larksuite.com"},"domain":"data.bytedance.net/tea","open":true,"productId":{"doc":40},"report_default_domain":"mcs-bd-sg.larksuite.com"},"unit":"larksgaws"},"drive_api":["internal-api-drive-stream-sg.larksuite.com"],"drive_bgp_api":["","https://internal-api-al

{
    "risk_score": 1,
    "reasoning": "The provided JavaScript snippet appears to be a simple utility function that adjusts the CSS variable '--vh' (viewport height) to accommodate mobile devices with notches or other display features that may affect the reported viewport height. This is a common practice to ensure proper layout and responsiveness on mobile platforms. The script does not exhibit any high-risk behaviors, such as dynamic code execution, data exfiltration, or suspicious redirects, and is likely a legitimate utility for improving the user experience."
}

!function(){var t;function n(){var t=.01*window.innerHeight;document.documentElement.style.setProperty("--vh",t+"px")}t=navigator.userAgent,(/iPad/i.test(t)||function(t,n){return!!(n.maxTouchPoints&&n.maxTouchPoints>2&&/Macintosh/.test(t)&&/MacIntel/.test(n.platform||""))}(t,navigator))&&(n(),window.addEventListener("resize",()=>{n()}))}();

{
    "risk_score": 6,
    "reasoning": "The provided JavaScript snippet exhibits several behaviors that raise moderate security concerns. It includes features for dynamic code execution, data exfiltration, and interaction with potentially untrusted domains. While some of the functionality may be intended for legitimate purposes like analytics or error reporting, the overall implementation and lack of transparency increase the risk profile of this script."
}

The key factors contributing to the medium risk score (6) are:

1. **Dynamic Code Execution (3 points)**: The script uses the `Function` constructor, which can be used to execute remote or dynamically generated code, posing a potential security risk.

2. **Data Exfiltration (3 points)**: The script sends user data (e.g., cookies, session identifiers) to external servers, which could be a concern for user privacy and security.

3. **Fallback Domains (2 points)**: The script uses multiple fallback domains, some of which may be of unknown or dubious reputation, increasing the risk of redirection to malicious sites.

4. **Aggressive DOM Manipulation (2 points)**: The script repeatedly alters or clears the DOM, which could be indicative of aggressive or potentially malicious behavior.

5. **Contextual Adjustments**: While the script may have some legitimate use cases, such as analytics or error reporting, the overall implementation and lack of transparency around the data being transmitted raise concerns. No significant subtractions were made for trusted domains or known analytics functionality.

Overall, the combination of high-risk behaviors, moderate-risk indicators, and the lack of clear transparency around the script's purpose and data handling practices result in a medium risk score of 6. Further investigation and review of the script's full context would be recommended to determine the extent of the security risks.

!function(){var r=!1;function e(r){var e="",n="",t=window.globalConfig.overload_static_domain;if(t&&t.length>0)for(var o=0;o<t.length;o++){var i=r.split(t[o]);if(i.length>1){n=i[1],e=t[o];break}}return{host:e,pathname:n}}function n(r,n,t,i,c,a){var d=document.createElement(r);const _=!i;_&&(document.head.appendChild(d),window.logCheckReactVersion("genTargetElement append script "+n));var s=window.extractChunkIdWithSrc(n);switch(window.logCDNErrorEntries(s,r,{add_cdn_error_retry_times:1,startTime:Date.now()}),d.onload=function(e){window.logCDNErrorEntries(s,r,{add_cdn_error_retry_times:1}),window.logCDNErrorRetrySuccessEntries(s,r);var i=r+"-"+s;o("client_cdn_retry_success",{src:n,tagName:r,duration:window.__cdnErrorEntries__&&window.__cdnErrorEntries__[i]&&Date.now()-window.__cdnErrorEntries__[i].startTime}),window.removeCDNErrorEntry(s,r),t(e)},r){case"script":d.src=n;break;case"link":d.rel="stylesheet",d.href=n}return d.onerror=function(o){window.logCDNErrorEntries(s,r,{add_cdn_error_times:1,add_error_domain:e(n).host,endTime:Date.now()}),window.staticCDNErrorHandler(d.src||d.href,r),window.tryToLoadBackupCdn(d.src||d.href,r,_,t,c,a,o)},d}function t(r,e){var n=window.collectEvent||window.htmlCollectEvent;n&&n(r,e)}function o(r,e){t(r,{path:location.pathname.replace(/\/([a-zA-Z0-9]+)$/,"/:token"),src:e.src,tagName:e.tagName,type:e.type,retry_times:e.retry_times,duration:e.duration,app_js_loaded:window.collectEvent?"true":"false",networkStatus:navigator.onLine?"online":"offline",template_log_id:window.templateRequestInfo&&window.templateRequestInfo.logId})}function i(r){var e={},n=r.requestStart,t=(r.requestEnd,r.responseStart),o=r.responseEnd;return e.domainLookupTime=r.domainLookupEnd-r.domainLookupStart,e.connectTime=r.connectEnd-r.connectStart,e.TTFBTime=t-n,e.requestTime=0===n?0:o-n,0!==r.secureConnectionStart&&(e.SSLTime=r.connectEnd-r.secureConnectionStart),e.usedTime=o-r.fetchStart,e}window.getBackupCdn=function(r){r||(r=1);var e=window.globalConfig.overload_static_domain;return e[r%e.length]},window.getBackupURL=function(r,n){var t=e(r).host;return t?r.replace(new RegExp(t),getBackupCdn(n)):r},window.logCheckReactVersion=function(r){try{window.__checkReactVersionLog__||(window.__checkReactVersionLog__=[]);var e=(location.pathname.match(/\/([a-zA-Z0-9]+)$/)||[])[0],n=String(Error(r).stack),t=e?n.replace(new RegExp(e,"g"),"/:token"):n,o=Error.stackTraceLimit;Error.stackTraceLimit=1/0,window.__checkReactVersionLog__.push((new Date).toISOString()+" "+t),Error.stackTraceLimit=o,window.__checkReactVersionLog__.length>50&&window.__checkReactVersionLog__.shift()}catch(r){console.error("logCheckReactVersion",r)}},window.logCDNErrorEntries=function(r,e,n){try{if(window.__cdnErrorEntries__||(window.__cdnErrorEntries__={}),!r)return;n||(n={});var t=window.__cdnErrorEntries__,o=e+"-"+r;if(!t[o]){var i=n.first_fetch_duration;void 0===i&&(i=Date.now()-performance.timing.responseEnd),t[o]={first_fetch_duration:i,cdn_error_times:1,cdn_error_retry_times:0,error_domains:[]}}n.add_cdn_error_times&&(t[o].cdn_error_times+=n.add_cdn_error_times),n.add_cdn_error_retry_times&&(t[o].cdn_error_retry_times+=n.add_cdn_error_retry_times),n.add_error_domain&&t[o].error_domains.push(n.add_error_domain),n.startTime&&(t[o].startTime=n.startTime),n.endTime&&(t[o].endTime=n.endTime)}catch(r){console.error("logCDNErrorEntries",r)}},window.removeCDNErrorEntry=function(r,e){try{var n=e+"-"+r;window.__cdnErrorEntries__[n]=null}catch(r){console.error("removeCDNErrorEntry",r)}},window.logCDNErrorRetrySuccessEntries=function(r,e,n){try{if(!r||!e)return;var t=e+"-"+r;if(!window.__cdnErrorEntries__||!window.__cdnErrorEntries__[t])return;window.__cdnErrorRetrySuccessEntries__||(window.__cdnErrorRetrySuccessEntries__=[]),window.__cdnErrorRetrySuccessEntries__.push(t)}catch(r){console.error("logCDNErrorRetrySuccessEntries",r)}},window.extractChunkIdWithSrc=function(r){try{return r.match(/(\w+)[\.|_]*[\w|\[|\]\-]+.(js|css)/)[1]}catch(e){console.error("extractChunkIdWith

{
  "contains_trigger_text": true,
  "trigger_text": "OPEN OR PREVIEW FULL PDF HERE",
  "prominent_button_name": "OPEN OR PREVIEW FULL PDF HERE",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Microsoft 365"
  ]
}

{
  "contains_trigger_text": true,
  "trigger_text": "OPEN OR PREVIEW FULL PDF HERE",
  "prominent_button_name": "OPEN OR PREVIEW FULL PDF HERE",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": true,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false,
  "contains_chinese_text": false,
  "contains_fake_security_alerts": false
}

{
  "brands": [
    "Microsoft 365"
  ]
}

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: https://larksuite.com

{
"contains_trigger_text": true,
"trigger_text": "OPEN OR PREVIEW FULL PDF HERE",
"prominent_button_name": "OPEN OR PREVIEW FULL PDF HERE",
"text_input_field_labels": "unknown",
"pdf_icon_visible": true,
"has_visible_captcha": false,
"has_urgent_text": false,
"has_visible_qrcode": false,
"contains_chinese_text": false,
"contains_fake_security_alerts": false
}

{
  "brands": [
    "Microsoft 365"
  ]
}