' . htmlspecialchars($footerNote, ENT_QUOTES, 'UTF-8') . '

' : ''; return << {$safeSubject}

NEXA

CYBERSIGHT

{$safeSubject}

{$innerHtml}

{$footerExtra}

This is an automated message from Nexa CyberSight.

HTML; } // ── Pre-built email types ──────────────────────────────────────────── /** * Welcome / new user email. */ public static function welcomeEmail(string $username, string $firstName, string $resetLink): string { $eName = htmlspecialchars($firstName ?: $username, ENT_QUOTES, 'UTF-8'); $eUser = htmlspecialchars($username, ENT_QUOTES, 'UTF-8'); $eLink = htmlspecialchars($resetLink, ENT_QUOTES, 'UTF-8'); $inner = <<

Hello {$eName}, welcome to Nexa CyberSight.

Your account has been created. Here are your details:

Username

{$eUser}

Set up your password

If the button doesn't work, copy and paste this link into your browser:

{$eLink}

If you did not expect this invitation, you can safely ignore this message.

HTML; return self::wrap('Welcome to Nexa CyberSight', $inner); } /** * Welcome email — plain text fallback. */ public static function welcomeEmailPlain(string $username, string $firstName, string $resetLink): string { $name = $firstName ?: $username; return "Welcome to Nexa CyberSight\n\n" . "Hello {$name},\n\n" . "Your account has been created.\n" . "Username: {$username}\n\n" . "To set up your password, visit the following link:\n{$resetLink}\n\n" . "If you did not expect this invitation, you can safely ignore this message.\n\n" . "— Nexa CyberSight"; } /** * Monitoring alert email. */ public static function monitoringAlertEmail( string $userName, string $domain, int $newFindings, int $totalFindings ): string { $eDomain = htmlspecialchars($domain, ENT_QUOTES, 'UTF-8'); $eName = htmlspecialchars($userName, ENT_QUOTES, 'UTF-8'); $plural = $newFindings !== 1 ? 's' : ''; $inner = <<

Hello {$eName}, our monitoring system has detected new credential findings.

{$newFindings} new finding{$plural} for {$eDomain}

Monitored asset

{$eDomain}

New findings since last check

{$newFindings}

Total findings to date

{$totalFindings}

How to investigate

1. Log into the CyberSight platform

2. Go to the Dashboard

3. Search for {$eDomain} using:

• Fetch credentials — leaked email/password combos

• Creds by domain — credentials from URLs matching this domain

• Illicit networks — dark web mentions

HTML; return self::wrap( "Monitoring Alert: {$newFindings} new finding{$plural} for {$domain}", $inner, 'Manage your monitoring preferences in Profile > Monitoring & Alerts.' ); } /** * Monitoring alert — plain text fallback. */ public static function monitoringAlertEmailPlain( string $userName, string $domain, int $newFindings, int $totalFindings ): string { return "Nexa CyberSight — Monitoring Alert\n\n" . "Hello {$userName},\n\n" . "New findings detected for {$domain}\n" . "New findings: {$newFindings}\n" . "Total findings: {$totalFindings}\n\n" . "To investigate:\n" . "1. Log into the CyberSight platform\n" . "2. Go to the Dashboard\n" . "3. Search for \"{$domain}\" using Fetch credentials or Creds by domain\n\n" . "Manage your monitoring preferences in Profile > Monitoring & Alerts.\n\n" . "— Nexa CyberSight"; } /** * Password reset email. */ public static function passwordResetEmail(string $username, string $resetLink): string { $eUser = htmlspecialchars($username, ENT_QUOTES, 'UTF-8'); $eLink = htmlspecialchars($resetLink, ENT_QUOTES, 'UTF-8'); $inner = <<

Hello {$eUser}, we received a request to reset your password.

Username

{$eUser}

Expires

60 minutes

Reset your password

If the button doesn't work, copy and paste this link into your browser:

{$eLink}

If you did not request this password reset, you can safely ignore this message. Your password will remain unchanged.

HTML; return self::wrap('Reset Your Password', $inner); } /** * Password reset — plain text fallback. */ public static function passwordResetEmailPlain(string $username, string $resetLink): string { return "Nexa CyberSight — Password Reset\n\n" . "Hello {$username},\n\n" . "To reset your password, visit the following link:\n{$resetLink}\n\n" . "Username: {$username}\n" . "This link is valid for 60 minutes.\n\n" . "If you did not request this change, please ignore this message.\n\n" . "— Nexa CyberSight"; } // ── Free Exposure Report ────────────────────────────────────────── /** * Free exposure report email — premium branded design. */ /** Path to the brand logo asset shipped with the codebase. */ public const BRAND_LOGO_PATH = __DIR__ . '/../assets/email_logo.png'; /** * Content-ID used to reference the inline-attached logo from the HTML. * Senders MUST call $mail->addEmbeddedImage(self::BRAND_LOGO_PATH, * self::BRAND_LOGO_CID, 'logo.png', 'base64', 'image/png') for the *

tag to resolve in the recipient's client. */ public const BRAND_LOGO_CID = 'nx-logo'; /** * Returns the `cid:` URI used by the email HTML. The actual image is * attached as MIME by the sender. CID embedding is the only approach * that renders reliably in Gmail (data URIs are stripped) and Outlook. */ public static function brandLogoSrc(): string { return 'cid:' . self::BRAND_LOGO_CID; } // ─── Tier 1 helpers ──────────────────────────────────────────────────── /** * Build the inbox-facing subject line. Severity-led with emoji + count. * Phase A — T1.2. */ public static function exposureReportSubject(string $domain, int $total, string $lang = '', string $variant = 'A'): string { if ($lang === '' || !in_array($lang, ['es', 'en', 'pt'], true)) { $lang = self::reportLang($domain); } $S = self::reportStrings($lang); // Variant A — severity-led emoji prefix (current default) // Variant B — domain-led, severity in parenthesis (T3.6 A/B test) if ($total === 0) { return $variant === 'B' ? $domain . ' — ' . $S['subject_clean'] : $S['subject_clean'] . ' — ' . $domain; } $tier = $total <= 50 ? 'low' : ($total <= 500 ? 'mod' : ($total <= 5000 ? 'high' : 'critical')); $emoji = ['low' => '⚠', 'mod' => '⚠', 'high' => '⛔', 'critical' => '🚨'][$tier]; $body = sprintf($S['subject_' . $tier], number_format($total)); return $variant === 'B' ? sprintf('[%s] %s — %s', $domain, $body, $emoji) : sprintf('%s %s — %s', $emoji, $body, $domain); } /** * Append UTM tracking params to a URL. Phase A — T1.6. */ public static function addUtm(string $url, string $content): string { $sep = (strpos($url, '?') === false) ? '?' : '&'; $params = http_build_query([ 'utm_source' => 'email', 'utm_medium' => 'transactional', 'utm_campaign' => 'free_exposure_report', 'utm_content' => $content, ]); return $url . $sep . $params; } /** * Pick language by domain TLD. Phase A — T2.2. * `.br/.pt` → pt-br * `.com/.us/.io/.ai/.uk/.co` → en * default → es (LATAM hispanoparlante) */ public static function reportLang(string $domain): string { $domain = strtolower(trim($domain)); if (preg_match('/\.(br|pt)$/', $domain)) return 'pt'; if (preg_match('/\.(com|us|io|ai|uk|co|net|org)(\.[a-z]+)?$/', $domain) && !preg_match('/\.(com|net|org|gob|gub)\.(uy|ar|cl|mx|pe|co|br|ec|bo|ve|py|cr|gt|sv|hn|ni|pa|do|pr|cu)$/', $domain)) { return 'en'; } return 'es'; } /** * i18n string bundle. Phase A — T2.2. */ private static function reportStrings(string $lang): array { $bundles = [ 'es' => [ 'subject_clean' => '✓ Sin exposición detectada', 'subject_low' => '%s credenciales expuestas', 'subject_mod' => '%s credenciales comprometidas', 'subject_high' => '%s credenciales comprometidas — alta exposición', 'subject_critical' => '%s credenciales filtradas — exposición crítica', 'preheader_clean' => 'Tu dominio no aparece en nuestras bases de inteligencia. Revisá la verificación.', 'preheader_found' => '%s credenciales encontradas. Revisá el desglose por tipo de cuenta y la fortaleza de las contraseñas.', 'tldr_clean' => 'No detectamos credenciales comprometidas vinculadas a tu dominio.', 'tldr_low' => 'Encontramos exposición baja — conviene atender los hallazgos en los próximos días.', 'tldr_mod' => 'Exposición moderada. Recomendamos rotar contraseñas críticas y forzar MFA.', 'tldr_high' => 'Exposición alta. Acción inmediata recomendada en cuentas privilegiadas.', 'tldr_critical' => 'Exposición crítica. Tratá esto como un incidente activo y acelerá rotación + MFA.', 'severity_clean' => 'SIN EXPOSICIÓN DETECTADA', 'severity_low' => 'EXPOSICIÓN BAJA', 'severity_mod' => 'EXPOSICIÓN MODERADA', 'severity_high' => 'EXPOSICIÓN ALTA', 'severity_critical'=> 'EXPOSICIÓN CRÍTICA', 'badge' => 'REPORTE DE INTELIGENCIA DE CREDENCIALES', 'title' => 'Reporte de Exposición', 'generated_on' => 'Generado el', 'updated_chip' => 'Datos actualizados', 'hero_label' => 'CREDENCIALES COMPROMETIDAS', 'kpi_emp' => 'EMPLEADOS', 'kpi_third' => 'TERCEROS', 'kpi_cust' => 'CLIENTES', 'kpi_emp_sub' => 'Cuentas @%s', 'kpi_third_sub' => 'Servicios externos', 'kpi_cust_sub' => 'Cuentas de usuarios', 'strength_title' => 'ANÁLISIS DE CONTRASEÑAS', 'strength_subtitle'=> 'Fortaleza de las %s contraseñas analizadas', 'strength_weak' => 'DÉBILES + MUY DÉBILES', 'strength_lbl_vw' => 'Muy débil', 'strength_lbl_w' => 'Débil', 'strength_lbl_m' => 'Media', 'strength_lbl_s' => 'Fuerte', 'whatdo_title' => 'PRÓXIMOS PASOS RECOMENDADOS', 'whatdo_step1' => 'Forzar rotación inmediata de contraseñas para empleados con cuentas comprometidas.', 'whatdo_step2' => 'Habilitar MFA obligatoria en todos los servicios SaaS y webmail.', 'whatdo_step3' => 'Escanear endpoints de empleados afectados por posibles infecciones de stealer.', 'whatdo_step4' => 'Activar monitoreo continuo para alertas en tiempo real ante nuevos compromisos.', 'cta_kicker' => '¿LISTO PARA ACTUAR?', 'cta_title' => 'Conocé el', 'cta_title_hl' => 'panorama completo', 'cta_sub' => 'Cada usuario. Cada contraseña. Cada fuente. Plus stealer logs, monitoreo continuo e inteligencia LATAM-native.', 'cta_primary' => 'Ver cada credencial →', 'cta_secondary' => 'Hablar con un especialista', 'cta_pdf' => 'Descargar reporte en PDF', 'social_proof' => '%s organizaciones ya consultaron este dominio', 'understand' => 'ENTENDIENDO TUS RESULTADOS', 'edu_emp' => 'Empleados — emails @%s encontrados en bases de filtraciones y mercados de la dark web.', 'edu_third' => 'Terceros — credenciales de empleados reutilizadas en servicios externos (SaaS, redes sociales, etc.).', 'edu_cust' => 'Clientes — usuarios que acceden a tu dominio capturados por stealer logs.', 'trust_kicker' => 'Confiado por agencias de gobierno · bancos · fintechs · fuerzas de defensa', 'footer_legal' => 'Este reporte fue generado a partir de datos de filtraciones disponibles públicamente. No se accedieron ni descifraron credenciales durante este análisis.', 'footer_byline' => 'by Nexa Cybersecurity', 'footer_unsub' => 'Este es un email transaccional único. Política de privacidad', ], 'en' => [ 'subject_clean' => '✓ No exposure detected', 'subject_low' => '%s credentials exposed', 'subject_mod' => '%s credentials compromised', 'subject_high' => '%s credentials compromised — high exposure', 'subject_critical' => '%s credentials leaked — critical exposure', 'preheader_clean' => 'Your domain does not appear in our intelligence sources. Review the verification details.', 'preheader_found' => '%s credentials found. Review the breakdown by account type and password strength.', 'tldr_clean' => 'We did not detect compromised credentials tied to your domain.', 'tldr_low' => 'Low exposure detected — review and address findings within a few days.', 'tldr_mod' => 'Moderate exposure. Rotate critical passwords and enforce MFA.', 'tldr_high' => 'High exposure. Immediate action recommended on privileged accounts.', 'tldr_critical' => 'Critical exposure. Treat this as an active incident — accelerate rotation + MFA.', 'severity_clean' => 'NO EXPOSURE DETECTED', 'severity_low' => 'LOW EXPOSURE', 'severity_mod' => 'MODERATE EXPOSURE', 'severity_high' => 'HIGH EXPOSURE', 'severity_critical'=> 'CRITICAL EXPOSURE', 'badge' => 'CREDENTIAL INTELLIGENCE REPORT', 'title' => 'Exposure Report', 'generated_on' => 'Generated on', 'updated_chip' => 'Data updated', 'hero_label' => 'COMPROMISED CREDENTIALS', 'kpi_emp' => 'EMPLOYEES', 'kpi_third' => 'THIRD PARTIES', 'kpi_cust' => 'CUSTOMERS', 'kpi_emp_sub' => '@%s accounts', 'kpi_third_sub' => 'External services', 'kpi_cust_sub' => 'User accounts', 'strength_title' => 'PASSWORD ANALYSIS', 'strength_subtitle'=> 'Strength of %s passwords analyzed', 'strength_weak' => 'WEAK + VERY WEAK', 'strength_lbl_vw' => 'Very weak', 'strength_lbl_w' => 'Weak', 'strength_lbl_m' => 'Medium', 'strength_lbl_s' => 'Strong', 'whatdo_title' => 'RECOMMENDED NEXT STEPS', 'whatdo_step1' => 'Force immediate password rotation for employees with compromised accounts.', 'whatdo_step2' => 'Enable mandatory MFA across all SaaS and webmail services.', 'whatdo_step3' => 'Scan endpoints of affected employees for active stealer infections.', 'whatdo_step4' => 'Activate continuous monitoring for real-time alerts on new compromises.', 'cta_kicker' => 'READY TO ACT?', 'cta_title' => 'See the', 'cta_title_hl' => 'full picture', 'cta_sub' => 'Every user. Every password. Every source. Plus stealer logs, 24/7 monitoring and LATAM-native threat intelligence.', 'cta_primary' => 'See every credential →', 'cta_secondary' => 'Talk to a specialist', 'cta_pdf' => 'Download PDF report', 'social_proof' => '%s organizations have queried this domain', 'understand' => 'UNDERSTANDING YOUR RESULTS', 'edu_emp' => 'Employees — @%s emails found in leak databases and dark-web markets.', 'edu_third' => 'Third parties — employee credentials reused on external services (SaaS, social, etc.).', 'edu_cust' => 'Customers — users accessing your domain captured by stealer logs.', 'trust_kicker' => 'Trusted by government agencies · banks · fintechs · defense forces', 'footer_legal' => 'This report was generated from publicly-available breach data. No credentials were accessed or decrypted during this analysis.', 'footer_byline' => 'by Nexa Cybersecurity', 'footer_unsub' => 'This is a one-shot transactional email. Privacy policy', ], 'pt' => [ 'subject_clean' => '✓ Sem exposição detectada', 'subject_low' => '%s credenciais expostas', 'subject_mod' => '%s credenciais comprometidas', 'subject_high' => '%s credenciais comprometidas — exposição alta', 'subject_critical' => '%s credenciais vazadas — exposição crítica', 'preheader_clean' => 'Seu domínio não aparece em nossas fontes de inteligência. Revise os detalhes da verificação.', 'preheader_found' => '%s credenciais encontradas. Revise o detalhamento por tipo de conta e a força das senhas.', 'tldr_clean' => 'Não detectamos credenciais comprometidas vinculadas ao seu domínio.', 'tldr_low' => 'Exposição baixa — vale a pena tratar nos próximos dias.', 'tldr_mod' => 'Exposição moderada. Recomendamos girar senhas críticas e forçar MFA.', 'tldr_high' => 'Exposição alta. Ação imediata recomendada em contas privilegiadas.', 'tldr_critical' => 'Exposição crítica. Trate como incidente ativo — acelere rotação + MFA.', 'severity_clean' => 'SEM EXPOSIÇÃO DETECTADA', 'severity_low' => 'EXPOSIÇÃO BAIXA', 'severity_mod' => 'EXPOSIÇÃO MODERADA', 'severity_high' => 'EXPOSIÇÃO ALTA', 'severity_critical'=> 'EXPOSIÇÃO CRÍTICA', 'badge' => 'RELATÓRIO DE INTELIGÊNCIA DE CREDENCIAIS', 'title' => 'Relatório de Exposição', 'generated_on' => 'Gerado em', 'updated_chip' => 'Dados atualizados', 'hero_label' => 'CREDENCIAIS COMPROMETIDAS', 'kpi_emp' => 'FUNCIONÁRIOS', 'kpi_third' => 'TERCEIROS', 'kpi_cust' => 'CLIENTES', 'kpi_emp_sub' => 'Contas @%s', 'kpi_third_sub' => 'Serviços externos', 'kpi_cust_sub' => 'Contas de usuários', 'strength_title' => 'ANÁLISE DE SENHAS', 'strength_subtitle'=> 'Força das %s senhas analisadas', 'strength_weak' => 'FRACAS + MUITO FRACAS', 'strength_lbl_vw' => 'Muito fraca', 'strength_lbl_w' => 'Fraca', 'strength_lbl_m' => 'Média', 'strength_lbl_s' => 'Forte', 'whatdo_title' => 'PRÓXIMOS PASSOS RECOMENDADOS', 'whatdo_step1' => 'Forçar rotação imediata de senhas para funcionários com contas comprometidas.', 'whatdo_step2' => 'Habilitar MFA obrigatória em todos os SaaS e webmails.', 'whatdo_step3' => 'Escanear endpoints dos funcionários afetados em busca de infecções de stealer.', 'whatdo_step4' => 'Ativar monitoramento contínuo para alertas em tempo real.', 'cta_kicker' => 'PRONTO PARA AGIR?', 'cta_title' => 'Veja o', 'cta_title_hl' => 'panorama completo', 'cta_sub' => 'Cada usuário. Cada senha. Cada fonte. Plus stealer logs, monitoramento 24/7 e inteligência nativa LATAM.', 'cta_primary' => 'Ver cada credencial →', 'cta_secondary' => 'Falar com um especialista', 'cta_pdf' => 'Baixar relatório em PDF', 'social_proof' => '%s organizações já consultaram este domínio', 'understand' => 'ENTENDENDO SEUS RESULTADOS', 'edu_emp' => 'Funcionários — emails @%s encontrados em bases de vazamentos e mercados da dark web.', 'edu_third' => 'Terceiros — credenciais de funcionários reutilizadas em serviços externos (SaaS, redes sociais, etc.).', 'edu_cust' => 'Clientes — usuários acessando seu domínio capturados por stealer logs.', 'trust_kicker' => 'Confiado por agências de governo · bancos · fintechs · forças de defesa', 'footer_legal' => 'Este relatório foi gerado a partir de dados de vazamentos publicamente disponíveis. Nenhuma credencial foi acessada ou descriptografada durante esta análise.', 'footer_byline' => 'by Nexa Cybersecurity', 'footer_unsub' => 'Este é um email transacional único. Política de privacidade', ], ]; return $bundles[$lang] ?? $bundles['es']; } /** * Pick severity bucket. Returns assoc with key/color/icon/label/tldr. */ private static function severity(int $total, array $S): array { if ($total === 0) return ['key' => 'clean', 'color' => '#00B36A', 'icon' => '✓', 'label' => $S['severity_clean'], 'tldr' => $S['tldr_clean']]; if ($total <= 50) return ['key' => 'low', 'color' => '#FFEF34', 'icon' => '⚠', 'label' => $S['severity_low'], 'tldr' => $S['tldr_low']]; if ($total <= 500) return ['key' => 'mod', 'color' => '#FE7833', 'icon' => '⚠', 'label' => $S['severity_mod'], 'tldr' => $S['tldr_mod']]; if ($total <= 5000) return ['key' => 'high', 'color' => '#E5484D', 'icon' => '⛔', 'label' => $S['severity_high'], 'tldr' => $S['tldr_high']]; return ['key' => 'critical', 'color' => '#E5484D', 'icon' => '🚨','label' => $S['severity_critical'], 'tldr' => $S['tldr_critical']]; } /** * Render strength bars for any number of buckets in one cohesive section. * Used by exposureReportEmail. T1.4. * * @param array $blocks * @param array $S i18n strings bundle * @param string $sevColor severity color for the highlight ring */ private static function renderStrengthSection(array $blocks, array $S, string $sevColor): string { // Filter blocks with no usable data $blocks = array_filter($blocks, static function ($b) { return (int) ($b['data']['total_pass'] ?? 0) > 0; }); if (!$blocks) { return ''; } $rows = ''; foreach ($blocks as $key => $block) { $totalPass = (int) ($block['data']['total_pass'] ?? 0); $tw = $block['data']['too_weak'] ?? ['qty' => 0, 'perc' => 0]; $wk = $block['data']['weak'] ?? ['qty' => 0, 'perc' => 0]; $md = $block['data']['medium'] ?? ['qty' => 0, 'perc' => 0]; $st = $block['data']['strong'] ?? ['qty' => 0, 'perc' => 0]; $weakPct = round((float)($tw['perc'] ?? 0) + (float)($wk['perc'] ?? 0), 1); $accent = $block['accent']; $label = htmlspecialchars($block['label'], ENT_QUOTES, 'UTF-8'); $sub = htmlspecialchars($block['sub'], ENT_QUOTES, 'UTF-8'); $twPerc = (float)($tw['perc'] ?? 0); $wkPerc = (float)($wk['perc'] ?? 0); $mdPerc = (float)($md['perc'] ?? 0); $stPerc = (float)($st['perc'] ?? 0); $lblVw = htmlspecialchars($S['strength_lbl_vw'], ENT_QUOTES, 'UTF-8'); $lblW = htmlspecialchars($S['strength_lbl_w'], ENT_QUOTES, 'UTF-8'); $lblM = htmlspecialchars($S['strength_lbl_m'], ENT_QUOTES, 'UTF-8'); $lblS = htmlspecialchars($S['strength_lbl_s'], ENT_QUOTES, 'UTF-8'); $weakLbl = htmlspecialchars($S['strength_weak'], ENT_QUOTES, 'UTF-8'); $rows .= <<

{$label}

{$totalPass} {$sub}

{$weakPct}%

{$weakLbl}

{$lblVw} {$twPerc}%

{$lblW} {$wkPerc}%

{$lblM} {$mdPerc}%

{$lblS} {$stPerc}%

HTML; } $sectionTitle = htmlspecialchars($S['strength_title'], ENT_QUOTES, 'UTF-8'); return <<

{$sectionTitle}

{$rows} HTML; } public static function exposureReportEmail( string $domain, int $employees, int $thirdParties, int $customers, int $total, array $passStrength = [], int $searchedByCount = 0, string $signupUrl = '/register', ?array $apiResponse = null, string $lang = '', ?array $extras = null ): string { // T2.2 — auto-pick language by TLD if not given if ($lang === '' || !in_array($lang, ['es', 'en', 'pt'], true)) { $lang = self::reportLang($domain); } $S = self::reportStrings($lang); $eDomain = htmlspecialchars($domain, ENT_QUOTES, 'UTF-8'); // Insert zero-width space after the dot to prevent Gmail auto-linking $eDomainSafe = str_replace('.', '.', $eDomain); $fmtTotal = number_format($total); $fmtEmp = number_format($employees); $fmtThird = number_format($thirdParties); $fmtCust = number_format($customers); // T1.6 — UTM-tagged CTAs $ctaPrimaryUrl = self::addUtm($signupUrl, 'cta_primary'); $ctaSecondaryUrl = self::addUtm($signupUrl, 'cta_secondary_sales'); $ctaPdfUrl = self::addUtm($signupUrl, 'cta_pdf_download'); // PDF endpoint TBD in T3.3 $eSignupP = htmlspecialchars($ctaPrimaryUrl, ENT_QUOTES, 'UTF-8'); $eSignupS = htmlspecialchars($ctaSecondaryUrl, ENT_QUOTES, 'UTF-8'); $eSignupD = htmlspecialchars($ctaPdfUrl, ENT_QUOTES, 'UTF-8'); $date = date('F j, Y'); $year = date('Y'); // T1.8 — severity-driven copy + colors $sev = self::severity($total, $S); $sevLabel = $sev['label']; $sevColor = $sev['color']; $sevIcon = $sev['icon']; $tldr = $sev['tldr']; // T1.1 — preheader (hidden inline text shown in inbox preview only) $preheaderText = $total === 0 ? $S['preheader_clean'] : sprintf($S['preheader_found'], $fmtTotal); $ePreheader = htmlspecialchars($preheaderText, ENT_QUOTES, 'UTF-8'); // T1.5 — data-freshness chip (timestamp of report generation) $eFresh = htmlspecialchars($S['updated_chip'] . ': ' . date('H:i') . ' UTC', ENT_QUOTES, 'UTF-8'); // Brand logo — referenced via CID; sender MUST attach the file. $brandLogo = self::brandLogoSrc(); // ─── Tier-3 extras (all optional) ──────────────────────────────── $pixelUrl = (string) ($extras['pixel_url'] ?? ''); $pdfUrl = (string) ($extras['pdf_url'] ?? ''); $sourceData = ($extras['source_breakdown'] ?? null); $samples = ($extras['sample_identities']?? null); $delta = ($extras['delta_since_last']?? null); // T3.7 — invisible 1×1 pixel at top of body $pixelHtml = $pixelUrl !== '' ? '' : ''; // T3.3 — ghost CTA links to PDF if we have a URL if ($pdfUrl !== '') { $ctaPdfUrl = self::addUtm($pdfUrl, 'cta_pdf_email'); } else { $ctaPdfUrl = self::addUtm($signupUrl, 'cta_pdf_fallback'); } $eSignupD = htmlspecialchars($ctaPdfUrl, ENT_QUOTES, 'UTF-8'); // T3.8 — delta chip (only if there's a previous snapshot) $deltaHtml = ''; if (is_array($delta) && isset($delta['delta'])) { $diff = (int) $delta['delta']; $days = (int) ($delta['days_ago'] ?? 0); if ($diff !== 0 && $days > 0) { $arrow = $diff > 0 ? '↑' : '↓'; $color = $diff > 0 ? '#E5484D' : '#00B36A'; $abs = number_format(abs($diff)); $verb = $lang === 'pt' ? ($diff > 0 ? 'novas' : 'menos') : ($lang === 'en' ? ($diff > 0 ? 'new' : 'fewer') : ($diff > 0 ? 'nuevas' : 'menos')); $sinceTpl = $lang === 'pt' ? 'desde %d dias atrás' : ($lang === 'en' ? 'since %d days ago' : 'desde hace %d días'); $deltaHtml = sprintf( '

%s %s %s ' . sprintf($sinceTpl, $days) . '

', $color, $color, $arrow, $abs, $verb ); } } // T3.1 — source breakdown card $sourcesHtml = ''; if (is_array($sourceData) && !empty($sourceData['sample_size'])) { $b = $sourceData['buckets']; $tot = max(1, array_sum($b)); $rowsSrc = ''; $catLabels = [ 'es' => ['stealer_logs' => 'Stealer logs', 'databases' => 'Bases filtradas', 'combolists' => 'Combolists', 'other' => 'Otras fuentes'], 'en' => ['stealer_logs' => 'Stealer logs', 'databases' => 'Leaked databases', 'combolists' => 'Combolists', 'other' => 'Other sources'], 'pt' => ['stealer_logs' => 'Stealer logs', 'databases' => 'Bases vazadas', 'combolists' => 'Combolists', 'other' => 'Outras fontes'], ]; $colors = ['stealer_logs' => '#E5484D', 'databases' => '#FE7833', 'combolists' => '#FFEF34', 'other' => '#5A5F70']; foreach ($b as $key => $cnt) { if ($cnt === 0) continue; $pct = round(($cnt / $tot) * 100, 1); $lbl = $catLabels[$lang][$key] ?? $key; $col = $colors[$key]; $rowsSrc .= "{$lbl}{$cnt} ({$pct}%)"; } $titleSrc = $lang === 'pt' ? 'FONTES (amostra recente)' : ($lang === 'en' ? 'SOURCES (recent sample)' : 'FUENTES (muestra reciente)'); $sourcesHtml = <<

{$titleSrc}

{$rowsSrc}

HTML; } // T3.2 — sample masked identities $samplesHtml = ''; if (is_array($samples) && !empty($samples)) { $titleSamp = $lang === 'pt' ? 'AMOSTRA DE CONTAS COMPROMETIDAS' : ($lang === 'en' ? 'SAMPLE COMPROMISED ACCOUNTS' : 'MUESTRA DE CUENTAS COMPROMETIDAS'); $rowsSamp = ''; foreach ($samples as $s) { $eS = htmlspecialchars($s, ENT_QUOTES, 'UTF-8'); $rowsSamp .= "{$eS}"; } $samplesHtml = <<

{$titleSamp}

{$rowsSamp}

HTML; } // T1.4 — strength bars for ALL 3 buckets (LR returns blocks for each) // The legacy passStrength param is the employees block; if a full apiResponse // is provided, also render third + customer. $strengthBlocks = [ 'employees' => [ 'data' => $passStrength, 'label' => $S['kpi_emp'], 'sub' => sprintf($S['kpi_emp_sub'], $eDomainSafe), 'accent' => '#6D6090', ], ]; if (is_array($apiResponse)) { if (!empty($apiResponse['third_parties_passwords'])) { $strengthBlocks['third'] = [ 'data' => $apiResponse['third_parties_passwords'], 'label' => $S['kpi_third'], 'sub' => $S['kpi_third_sub'], 'accent' => '#FE7833', ]; } if (!empty($apiResponse['customer_passwords'])) { $strengthBlocks['customers'] = [ 'data' => $apiResponse['customer_passwords'], 'label' => $S['kpi_cust'], 'sub' => $S['kpi_cust_sub'], 'accent' => '#FFEF34', ]; } } $passHtml = self::renderStrengthSection($strengthBlocks, $S, $sevColor); // Social proof $socialProof = ''; if ($searchedByCount > 1) { $fmtSearched = number_format($searchedByCount); $sproofTxt = sprintf($S['social_proof'], $fmtSearched); $socialProof = <<

{$sproofTxt}

HTML; } // Severity banner copy — stats-rich description (NOT the TL;DR action message). // Different per language; designed to set context, the TL;DR below provides // the next-step recommendation. if ($total === 0) { $sevDescTpl = $lang === 'pt' ? "Não detectamos credenciais expostas para %s em nossa base de inteligência. Seu domínio aparenta estar limpo." : ($lang === 'en' ? "We did not detect exposed credentials for %s in our intelligence sources. Your domain appears clean." : "No encontramos credenciales expuestas para %s en nuestra base de inteligencia. Tu dominio aparenta estar limpio."); $sevDesc = sprintf($sevDescTpl, $eDomainSafe); } else { $sevDescTpl = $lang === 'pt' ? "Encontramos %s credenciais comprometidas vinculadas a %s em bases de vazamentos, stealer logs e fontes da dark web." : ($lang === 'en' ? "We found %s compromised credentials linked to %s across leak databases, stealer logs and dark-web sources." : "Encontramos %s credenciales comprometidas vinculadas a %s en bases de filtraciones, stealer logs y fuentes de la dark web."); $sevDesc = sprintf($sevDescTpl, $sevColor, $fmtTotal, $eDomainSafe); } // T1.3 — TL;DR bar (1-sentence verdict directly below severity banner) $tldrHtml = ''; if ($total > 0) { $tldrHtml = <<

{$tldr}

HTML; } // T2.1 — "What to do next" actionable checklist $whatdoHtml = ''; if ($total > 0) { $w1 = $S['whatdo_step1']; $w2 = $S['whatdo_step2']; $w3 = $S['whatdo_step3']; $w4 = $S['whatdo_step4']; $whatdoTitle = $S['whatdo_title']; $whatdoHtml = <<

{$whatdoTitle}

{$w1}

{$w2}

{$w3}

{$w4}

HTML; } // T2.5 — i18n labels for the rendered shell $eBadge = htmlspecialchars($S['badge'], ENT_QUOTES, 'UTF-8'); $eTitle = htmlspecialchars($S['title'], ENT_QUOTES, 'UTF-8'); $eGenLabel = htmlspecialchars($S['generated_on'], ENT_QUOTES, 'UTF-8'); $eHeroLabel = htmlspecialchars($S['hero_label'], ENT_QUOTES, 'UTF-8'); $eKpiEmp = htmlspecialchars($S['kpi_emp'], ENT_QUOTES, 'UTF-8'); $eKpiThird = htmlspecialchars($S['kpi_third'], ENT_QUOTES, 'UTF-8'); $eKpiCust = htmlspecialchars($S['kpi_cust'], ENT_QUOTES, 'UTF-8'); $eKpiEmpSub = htmlspecialchars(sprintf($S['kpi_emp_sub'], $eDomainSafe), ENT_QUOTES, 'UTF-8'); $eKpiThirdSub= htmlspecialchars($S['kpi_third_sub'], ENT_QUOTES, 'UTF-8'); $eKpiCustSub = htmlspecialchars($S['kpi_cust_sub'], ENT_QUOTES, 'UTF-8'); $eUnderstand = htmlspecialchars($S['understand'], ENT_QUOTES, 'UTF-8'); $eEduEmp = sprintf($S['edu_emp'], $eDomainSafe); $eEduThird = $S['edu_third']; $eEduCust = $S['edu_cust']; $eCtaKicker = htmlspecialchars($S['cta_kicker'], ENT_QUOTES, 'UTF-8'); $eCtaTitle = htmlspecialchars($S['cta_title'], ENT_QUOTES, 'UTF-8'); $eCtaTitleHl = htmlspecialchars($S['cta_title_hl'], ENT_QUOTES, 'UTF-8'); $eCtaSub = htmlspecialchars($S['cta_sub'], ENT_QUOTES, 'UTF-8'); $eCtaPrimary = htmlspecialchars($S['cta_primary'], ENT_QUOTES, 'UTF-8'); $eCtaSecondary = htmlspecialchars($S['cta_secondary'],ENT_QUOTES, 'UTF-8'); $eCtaPdf = htmlspecialchars($S['cta_pdf'], ENT_QUOTES, 'UTF-8'); $eTrust = htmlspecialchars($S['trust_kicker'], ENT_QUOTES, 'UTF-8'); $eFootLegal = htmlspecialchars($S['footer_legal'], ENT_QUOTES, 'UTF-8'); $eFootByline = htmlspecialchars($S['footer_byline'], ENT_QUOTES, 'UTF-8'); $eFootUnsub = htmlspecialchars($S['footer_unsub'], ENT_QUOTES, 'UTF-8'); $fullHtml = << {$eTitle}: {$eDomain} {$pixelHtml}

{$eBadge}

{$eTitle}

{$eDomainSafe}

● {$eFresh}

{$deltaHtml}

{$eGenLabel} {$date}

{$sevLabel}

{$sevDesc}

{$tldrHtml}

{$fmtTotal}

{$eHeroLabel}

{$eKpiEmp}

{$fmtEmp}

{$eKpiEmpSub}

{$eKpiThird}

{$fmtThird}

{$eKpiThirdSub}

{$eKpiCust}

{$fmtCust}

{$eKpiCustSub}

{$passHtml} {$samplesHtml} {$sourcesHtml} {$socialProof} {$whatdoHtml}

LO QUE TU REPORTE GRATUITO NO MUESTRA

Accede a la versión completa para ver todo el panorama

🔑

Credenciales Reales

Usuarios, contraseñas y fuentes de cada filtración

☣

Acceso a Stealer Logs

Tokens de sesión, cookies, contraseñas guardadas y contexto del dispositivo

📈

Reportes Ejecutivos

Reportes PDF con tendencias, scoring de riesgo y guía de remediación

📡

Monitoreo 24/7

Alertas instantáneas cuando aparecen nuevos compromisos en tus dominios

{$eUnderstand}

{$eEduEmp}

{$eEduThird}

{$eEduCust}

{$eCtaKicker}

{$eCtaTitle} {$eCtaTitleHl}.

{$eCtaSub}

{$eCtaPrimary}

{$eCtaSecondary}

{$eCtaPdf}

34B+

Credenciales
Indexadas

4.5B+

Infecciones
Detectadas

Países
LATAM

24/7

Monitoreo
Continuo

{$eTrust}

{$eFootByline}

{$eFootLegal}

{$eFootUnsub}

HTML; return $fullHtml; } /** * Free exposure report — plain text fallback. */ public static function exposureReportEmailPlain( string $domain, int $employees, int $thirdParties, int $customers, int $total, string $signupUrl = '/register', ?array $apiResponse = null, string $lang = '' ): string { if ($lang === '' || !in_array($lang, ['es', 'en', 'pt'], true)) { $lang = self::reportLang($domain); } $S = self::reportStrings($lang); $sev = self::severity($total, $S); $titleLine = strtoupper($S['title']); $genLabel = $S['generated_on']; $headerKey = ($total === 0) ? 'severity_clean' : 'severity_' . $sev['key']; $sevLabel = $S[$headerKey] ?? $sev['label']; $tldr = $sev['tldr']; $sep1 = str_repeat('=', 50); $sep2 = str_repeat('-', 50); $text = "Nx CyberSight — {$titleLine}\n"; $text .= "{$sep1}\n\n"; $text .= "Domain: {$domain}\n"; $text .= "{$genLabel}: " . date('F j, Y') . "\n"; $text .= "Lang: " . strtoupper($lang) . "\n\n"; // Severity banner $text .= ">> " . str_repeat('=', 46) . "\n"; $text .= ">> {$sevLabel}\n"; if ($total > 0) { $text .= ">> {$tldr}\n"; } $text .= ">> " . str_repeat('=', 46) . "\n\n"; if ($total === 0) { $text .= sprintf($S['preheader_clean']) . "\n\n"; } else { $text .= sprintf($S['preheader_found'], number_format($total)) . "\n\n"; // Breakdown $text .= "BREAKDOWN\n"; $text .= "{$sep2}\n"; $text .= sprintf(" %-14s %s\n", $S['kpi_emp'] . ':', number_format($employees)); $text .= sprintf(" %-14s %s\n", $S['kpi_third'] . ':', number_format($thirdParties)); $text .= sprintf(" %-14s %s\n", $S['kpi_cust'] . ':', number_format($customers)); $text .= "{$sep2}\n"; $text .= sprintf(" %-14s %s\n\n", 'TOTAL:', number_format($total)); // Per-bucket strength (T1.4 + T1.9 parity with HTML) if (is_array($apiResponse)) { $bucketBlocks = [ $S['kpi_emp'] => $apiResponse['employee_passwords'] ?? null, $S['kpi_third'] => $apiResponse['third_parties_passwords'] ?? null, $S['kpi_cust'] => $apiResponse['customer_passwords'] ?? null, ]; $hasAny = false; foreach ($bucketBlocks as $b) { if (is_array($b) && (int)($b['total_pass'] ?? 0) > 0) { $hasAny = true; break; } } if ($hasAny) { $text .= strtoupper($S['strength_title']) . "\n"; $text .= "{$sep2}\n"; foreach ($bucketBlocks as $bLabel => $b) { if (!is_array($b) || (int)($b['total_pass'] ?? 0) === 0) continue; $tw = (float)($b['too_weak']['perc'] ?? 0); $wk = (float)($b['weak']['perc'] ?? 0); $md = (float)($b['medium']['perc'] ?? 0); $st = (float)($b['strong']['perc'] ?? 0); $text .= sprintf(" %s (%d %s)\n", $bLabel, (int)$b['total_pass'], strtolower($S['kpi_emp_sub'])); $text .= sprintf(" %s: %s%% | %s: %s%% | %s: %s%% | %s: %s%%\n\n", $S['strength_lbl_vw'], $tw, $S['strength_lbl_w'], $wk, $S['strength_lbl_m'], $md, $S['strength_lbl_s'], $st ); } } } // What to do next (T2.1 in plain) $text .= strtoupper($S['whatdo_title']) . "\n"; $text .= "{$sep2}\n"; $text .= " 1. {$S['whatdo_step1']}\n"; $text .= " 2. {$S['whatdo_step2']}\n"; $text .= " 3. {$S['whatdo_step3']}\n"; $text .= " 4. {$S['whatdo_step4']}\n\n"; } // Dual CTA (T1.7 + T1.6 UTM-tagged) $text .= "{$sep2}\n"; $text .= strtoupper($S['cta_title'] . ' ' . $S['cta_title_hl']) . "\n\n"; $text .= " → {$S['cta_primary']}: " . self::addUtm($signupUrl, 'cta_primary_text') . "\n"; $text .= " → {$S['cta_secondary']}: " . self::addUtm($signupUrl, 'cta_secondary_text') . "\n\n"; $text .= "{$sep2}\n"; $text .= "{$S['footer_legal']}\n\n"; $text .= "Nx CyberSight — wearenexa.com\n"; return $text; } }