mail_to_misp icon indicating copy to clipboard operation
mail_to_misp copied to clipboard
verified publisher icon MISP

malicious mail attached to 'carrier' mail is not correctly analyzed.

Open begunrom opened this issue 6 years ago • 3 comments

Hi I am testing mail2misp. I am sending a mail with another mail as attachment. The mail is successfully received in misp but the attached mail is seen as a file object. I would like the attachment to be analyzed and sent to misp (and the carrier mail to be ignored).

Is this possible?

I originally tried with an msg attachment (Outlook), then I tried with an eml attachment that I converted from the msg. I both used mail_to_misp.py and mail_to_mips_forward.py. The result was the same.

Am I doing something wrong?

begunrom avatar Nov 11 '19 09:11 begunrom

Could you please try to forward the mail inline the other mail and not as an attachment?

Currently, https://github.com/MISP/mail_to_misp/blob/d747ede23c94348c16468f1aa78062306cbe798e/mail_to_misp_config.py-example#L72 defines the known separators for forwarded mails.

Please try this and see if the forwarding separator matches the ones defined. Just add a new one if your mail client does it differently.

rommelfs avatar Nov 12 '19 08:11 rommelfs

I defined 'Carrier mail' as separator, but that does not make any difference. Please find attached a sample of a "carrier mail" with 2 eml attachments that I seek to process.

Full email (1).zip

begunrom avatar Nov 15 '19 11:11 begunrom

Created pull request https://github.com/MISP/mail_to_misp/pull/38

begunrom avatar Nov 16 '19 15:11 begunrom