Email Attachments

(Eric) #1

Hello,

I’m new to StackForm and currently in the “kicking the tires” phase. My primary use case is from a Security Operations perspective and using StackStorm to monitor a phishing inbox, pull down the attachment (.msg file), and extra fields within it to perform analysis.

I was wondering if anyone else is using StackStorm in a similar setup and if the email pack could truly pull down and extract a .msg file as well as any other attachments within the .msg file.

  1. Bob gets a phishing email and reports it to phishing@company.com.
  2. Phishing@company.com receives an email in the Inbox from Bob with a .msg attachment.
  3. StackStorm opens up the .msg file and sees that there is an attachment (.pdf) as well as some URLs in the body of the message.
  4. StackStorm pulls down the URLs and runs some Python scripts that performs URL looksups and security intelligence.
  5. StackStorm pulls the SHA256 hash of the attachment and performs similar hash lookups.
  6. StackStorm pulls the PDF file and uploads it to a sandbox for additional analysis.
  7. Depending on the outcome of the above actions, a ticket is opened up and/or an email sent to the reporter.
#2

The easiest way to find out if StackStorm can do it is to try it and find out.

That all looks possible with the email pack, and another integration pack for wherever you want to open a ticket (eg: the Jira pack for Jira issues, etc.).

#3

Hi Eric,
I’m looking to use StackStorm in the exact same way.
Have you progressed any further since you posted this? I’d be interested in hearing how you’ve gone so far.

thx
J.

(Eric) #4

Hey Jezk,

I actually ended up going away from StackStorm because it seemed to complicate things for me a little more than I wanted them. The learning curve of the product is a tad cumbersome IMO so I ended up just writing a Python script to do this completely separate of StackStorm and auto integrate into ServiceNow.

The code can be found here - GitHub - ericl42/phishing: Monitors IMAP inboxes and analyzes files and urls..

Hope that helps.

#5

Thanks for sharing your script Eric, looks pretty good, I might be able to make use of it as well.
I get your point about the learning curve, I’m pushing through that curve as I have a number of use cases I can see use for Stackstorm. Not just in the security space but in operations in general.
Thanks.