This is done via some User-Agent matching, pulling networks advertised by ASNs of known sandbox companies, and "MISC" sources that were found from previous real-world phishing attempts. The original idea came up during some phishing campaigns a while ago, later someone pointed me to @curi0usJack's htaccess file which provided the user-agents.

Thanks to @curi0usJack for some data source/info, and thanks to @imoorhouse904 for testing and data to add!

TLDR; edit DESTINATION to point to benign version of payload, put output into .htaccess, hopefully enjoy phishing again!

Make sure your apache configs AllowOverride, so the htaccess will work. Example:

   <Directory "/var/www/html/test">
      Options Indexes FollowSymLinks
      AllowOverride All
    </Directory>

If you need to debug how it is matching, add "LogLevel alert rewrite:trace6" to your main configuration -- but keep in mind that each connection attempt will log EACH regex to your logs. This can fill logs/drives quickly if alot of attempts occur!

Simply edit a few variables within the program, all at the top:

WORKINGFILE=/tmp/redhtaccess ; this will be the final file, you can leave this
TMPFILE=/tmp/tmptargets ; temp working file, you can leave this
JACKTMP=/tmp/jacktmp ; temp working file for curi0usJack's file, you can leave this
CURLOPTIONS="--connect-timeout 10" ; add additional curl options here, such as proxies, you can leave this
DESTINATION="http://funkytown.com/DIR/file.doc" ; this is where to redirect sandboxes -- make it look as similar to the original as possible, but make it redirect to a clean (malware-free) version of your payload!

Similar to the section above, all ASN/useragent/misc configs are kept internal to keep the file portable/easy to deal with.

Simply add additional regexs to match agents inside of this variable, example:

   AGENTS="^.*cloudfront.*$ ^curl.*$ ^Python-urllib.*$ ^Wget.*$ ^Lynx.*$ ^Slackbot-LinkExpanding.*$"

Add additional ASNs to this variable in the form of CompanyName_ASN#, example:

   ASNS="zScaler_AS22616 DigitalOcean_AS46652 ForcePoint_AS13448 CiscoMeraki_AS395831"

Add additional lines per "misc" source, starting with a "#" ! Add in the form of:
#MISC-NetworkOrIP-CompanyName-ReasonAdded
Example:

   #MISC-195.47.249.0/24-Bayer-Seen in phish
   #MISC-40.96.0.0/12-MicrosoftCorp-40.107.242.0 seen in previous phish
   #MISC-40.125.0.0/17-MicrosoftCorp-