This page uses CSS style sheets. See Web Standards

Copyright © 2017 All Rights Reserved.

phishcracker - an .msg parser for SOC analysts


You work in a SOC. An email address was setup so employees can submit suspicious emails to your team for investigation. You need to triage if an email is a harmless spam or a malicious phishing email to quickly respond to threat.


Written in Python, this tool extracts and parses email attachments (in .msg format) and collects information from various sources to aid in analysis (e.g., phishing investigation). The tool automates the following tasks:

  • parse an .msg file or scan a directory containing .msg files or an Outlook mailbox folder containing emails with .msg attachments
  • extract important SMTP headers from each .msg file
  • obtain blacklist information for each SMTP hop from various RBL sites
  • extract all URLs in the body of the email and in PDF attachments and submit them to various sites for analysis (e.g., Virus Total, Sender Base)
  • extract all attachments of specified file types and do a hash lookup in VirusTotal or other malware analysis sites
  • respond to emails if a certain string or strings are found in the subject or email body

At work, I use the tool to do the following:

  • submit request tickets for URL blocking to Cisco (reputation-based) and Palo Alto(re-categorization) as well as via our company's internal ticketing system (config-based blocking via change request)
  • submit a request ticket for email blocking/redirection
  • extract/analyze attachments and metadata to validate IOCs from threat intel
  • search Symantec Cloud's messagelabs for recipients of similar emails to quickly assess the scope of malspam/phishing campaign


  • Windows Machine w/ MS Outlook installation (tested on Win7 + Outlook 2007/2013)
  • pywin32com client library. Download from here.
  • Outlook Redemption library. Download from here.
  • Other python imports (in the source code) - see this for help with the installation

Help Menu:

Usage: [-h] [-m [MAILBOX]] [-c [CACHEDIR]] [-i [INPUT]] [-b]
                       [-n [RBL_SERVERS [RBL_SERVERS ...]]] [-w] [-l] [-v]
A program that parses .msg files and displays various information such as smtp
hops w/ rbl blacklist status, embedded links w/url reputation, etc.
optional arguments:
  -h, --help            show this help message and exit
  -m [MAILBOX], --mailbox [MAILBOX]
                        Mailbox containing emails to read.
  -c [CACHEDIR], --cachedir [CACHEDIR]
                        Temporary folder to save msg attachments to. Defaults
                        to "phishcracker_attachments" folder in the current
  -i [INPUT], --input [INPUT]
                        .msg file, directory, or folder inside the Inbox
                        containing emails with .msg attachments. Use ":" to
                        specify complete mailbox path (e.g., "SOC:Phish
  -b, --blacklist-status
                        Determines the RBL blacklist status of each SMTP hop
                        from various DNS servers. Does not do a lookup by
  -n [RBL_SERVERS [RBL_SERVERS ...]], --rbl-servers [RBL_SERVERS [RBL_SERVERS ...]]
                        Additional name servers (DNS) to query for RBL
                        blacklist status.
  -w, --web-url-reputation
                        Does a lookup VirusTotal to determine the web URL
                        reputation of each embedded link.
  -l, --location-search
                        Searches to determine the country
                        location of an SMTP hop. Searching is disabled by
  -v, --verbose         Display verbose output in the screen.
  -f, --flagged         Skip non-flagged messages.
EXAMPLE: Parse all emails in "Mailbox - Mark Alvarez -> Phish" folder. "python -m "Mailbox - Mark Alvarez" -i Phish"

Sample Output:

>python -i Phish -m "Mailbox - Mark Alvarez" -bflw

Subject: "Phishing email received"
Forwarded By: on 07/24/17 10:56:31


   1.)"You have 1 new Payment..msg"
    Extracting attachment...
        Subject: "You have 1 new Payment."
        Date Sent: 07/24/17 10:18:45
        Sent By:
        X-Originating-IP: - RU
        Hops:  (IP - Location)
                  - RBL Blacklist Server:
              1. []( - US)
              2. - RU)
              3. - RU)
              4. - RU)
                  - ("Spam Received Recently See:")
                  - ("Spam Received See:")
                  - ("See")
                  - ("Spam Received withing last 12 months 
                  - ("IP is UCEPROTECT-Level 1 listed.
              5. []( - US)
              6. - US)
	      7. (2a01:111:x:x::x)
		  (none - unknown)

Embedded links: (see full URLs: 
     < malicious:1 | Netcraft >

Done processing all emails in Mailbox - Mark Alvarez -> Phish
Elapsed Time: 181.927000046 seconds.

Source Code:

Get it from github.