This site is in read only mode. Please continue to browse, but replying, likes, and other actions are disabled for now.

⚠️ We've moved!

Hi there!

To reduce project dependency on 3rd party paid services the StackStorm TSC has decided to move the Q/A from this forum to Github Discussions. This will make user experience better integrated with the native Github flow, as well as the questions closer to the community where they can provide answers.

Use 🔗 Github Discussions to ask your questions.

Email Attachments

Operations
#1

Hello,

I’m new to StackForm and currently in the “kicking the tires” phase. My primary use case is from a Security Operations perspective and using StackStorm to monitor a phishing inbox, pull down the attachment (.msg file), and extra fields within it to perform analysis.

I was wondering if anyone else is using StackStorm in a similar setup and if the email pack could truly pull down and extract a .msg file as well as any other attachments within the .msg file.

  1. Bob gets a phishing email and reports it to [email protected].
  2. [email protected] receives an email in the Inbox from Bob with a .msg attachment.
  3. StackStorm opens up the .msg file and sees that there is an attachment (.pdf) as well as some URLs in the body of the message.
  4. StackStorm pulls down the URLs and runs some Python scripts that performs URL looksups and security intelligence.
  5. StackStorm pulls the SHA256 hash of the attachment and performs similar hash lookups.
  6. StackStorm pulls the PDF file and uploads it to a sandbox for additional analysis.
  7. Depending on the outcome of the above actions, a ticket is opened up and/or an email sent to the reporter.
#2

The easiest way to find out if StackStorm can do it is to try it and find out.

That all looks possible with the email pack, and another integration pack for wherever you want to open a ticket (eg: the Jira pack for Jira issues, etc.).

#3

Hi Eric,
I’m looking to use StackStorm in the exact same way.
Have you progressed any further since you posted this? I’d be interested in hearing how you’ve gone so far.

thx
J.

#4

Hey Jezk,

I actually ended up going away from StackStorm because it seemed to complicate things for me a little more than I wanted them. The learning curve of the product is a tad cumbersome IMO so I ended up just writing a Python script to do this completely separate of StackStorm and auto integrate into ServiceNow.

The code can be found here - GitHub - ericl42/phishing: Monitors IMAP inboxes and analyzes files and urls..

Hope that helps.

#5

Thanks for sharing your script Eric, looks pretty good, I might be able to make use of it as well.
I get your point about the learning curve, I’m pushing through that curve as I have a number of use cases I can see use for Stackstorm. Not just in the security space but in operations in general.
Thanks.

#6

Hey guys - just wanted to mention - checkout the flanker library, makes handling rfc/822 emails alot easier And checkout my fork of the msg-extractor library - it’s going through sort of a refactor right now, but it deals with mapi/OLE/msg formatted emails. I use both of them with the email sensors in ST2 to do some phishing stuff and then send it to a SOAR platform.