This page uses CSS style sheets. See Web Standards

Copyright © 2017 infosecscripts.org. All Rights Reserved.

phishcracker - an .msg parser for SOC analysts

Scenario:

You work in a SOC. An email address phish@yourcompany.com was setup so employees can submit suspicious emails to your team for investigation. You need to triage if an email is a harmless spam or a malicious phishing email to quickly respond to threat.

Description:

Written in Python, this tool extracts and parses email attachments (in .msg format) and collects information from various sources to aid in analysis (e.g., phishing investigation). The tool automates the following tasks:

  • parse an .msg file or scan a directory containing .msg files or an Outlook mailbox folder containing emails with .msg attachments
  • extract important SMTP headers from each .msg file
  • obtain blacklist information for each SMTP hop from various RBL sites
  • extract all URLs in the body of the email and in PDF attachments and submit them to various sites for analysis (e.g., Virus Total, Sender Base)
  • extract all attachments of specified file types and do a hash lookup in VirusTotal or other malware analysis sites
  • respond to emails if a certain string or strings are found in the subject or email body

At work, I use the tool to do the following:

  • submit request tickets for URL blocking to Cisco (reputation-based) and Palo Alto(re-categorization) as well as via our company's internal ticketing system (config-based blocking via change request)
  • submit a request ticket for email blocking/redirection
  • extract/analyze attachments and metadata to validate IOCs from threat intel
  • search Symantec Cloud's messagelabs for recipients of similar emails to quickly assess the scope of malspam/phishing campaign

Requirements:

  • Windows Machine w/ MS Outlook installation (tested on Win7 + Outlook 2007/2013)
  • pywin32com client library. Download from here.
  • Outlook Redemption library. Download from here.
  • Other python imports (in the source code) - see this for help with the installation

Help Menu:

Usage: phishcracker.py [-h] [-m [MAILBOX]] [-c [CACHEDIR]] [-i [INPUT]] [-b]
                       [-n [RBL_SERVERS [RBL_SERVERS ...]]] [-w] [-l] [-v]
                       [-f]
 
A program that parses .msg files and displays various information such as smtp
hops w/ rbl blacklist status, embedded links w/url reputation, etc.
 
optional arguments:
  -h, --help            show this help message and exit
  -m [MAILBOX], --mailbox [MAILBOX]
                        Mailbox containing emails to read.
  -c [CACHEDIR], --cachedir [CACHEDIR]
                        Temporary folder to save msg attachments to. Defaults
                        to "phishcracker_attachments" folder in the current
                        directory.
  -i [INPUT], --input [INPUT]
                        .msg file, directory, or folder inside the Inbox
                        containing emails with .msg attachments. Use ":" to
                        specify complete mailbox path (e.g., "SOC:Phish
                        Submissions:Unprocessed":
  -b, --blacklist-status
                        Determines the RBL blacklist status of each SMTP hop
                        from various DNS servers. Does not do a lookup by
                        default.
  -n [RBL_SERVERS [RBL_SERVERS ...]], --rbl-servers [RBL_SERVERS [RBL_SERVERS ...]]
                        Additional name servers (DNS) to query for RBL
                        blacklist status.
  -w, --web-url-reputation
                        Does a lookup VirusTotal to determine the web URL
                        reputation of each embedded link.
  -l, --location-search
                        Searches http://ipinfo.io to determine the country
                        location of an SMTP hop. Searching is disabled by
                        default.
  -v, --verbose         Display verbose output in the screen.
  -f, --flagged         Skip non-flagged messages.
 
EXAMPLE: Parse all emails in "Mailbox - Mark Alvarez -> Phish" folder. "python
phishcracker.py -m "Mailbox - Mark Alvarez" -i Phish"

Sample Output:



>python phishcracker.py -i Phish -m "Mailbox - Mark Alvarez" -bflw

Subject: "Phishing email received"
Forwarded By: xxxx@xxxx.com on 07/24/17 10:56:31

Attachments:

   1.)"You have 1 new Payment..msg"
    Extracting attachment...
        Subject: "You have 1 new Payment."
        Date Sent: 07/24/17 10:18:45
        Sent By: info.pay@west.com
        X-Env-Sender: info.pay@west.com
        Reply-To: 
        Return-Path: info.pay@west.com
        X-Originating-IP: 85.142.70.3 - RU
        Hops:  (IP - Location)
                  - RBL Blacklist Server:
              1. [154.16.49.167](154.16.49.167 - US)
              2. ais.khstu.ru(85.142.70.201 - RU)
              3. mail.khstu.ru(85.142.70.15 - RU)
              4. ns1.khstu.ru(85.142.70.3 - RU)
                  - recent.spam.dnsbl.sorbs.net: ("Spam Received Recently See: 
			http://www.sorbs.net/lookup.shtml?85.142.70.3")
                  - spam.dnsbl.sorbs.net: ("Spam Received See: 
			http://www.sorbs.net/lookup.shtml?85.142.70.3")
                  - all.s5h.net: ("See http://s5h.net/rbl")
                  - old.spam.dnsbl.sorbs.net: ("Spam Received withing last 12 months 
			See: http://www.sorbs.net/lookup.shtml?85.142.70.3")
                  - dnsbl-1.uceprotect.net: ("IP 85.142.70.3 is UCEPROTECT-Level 1 listed.
			See http://www.uceprotect.net/rblcheck.php?ipr=85.142.70.3")
              5. [216.82.242.38](216.82.242.38 - US)
              6. mail6.bemta8.messagelabs.com(216.82.243.55 - US)
	      7. SY3AUS01FT012.eop-AUS01.prod.protection.outlook.com (2a01:111:x:x::x)
		  (none - unknown)
              8. MEXPR01CA0116.ausprd01.prod.outlook.com(x.x.x.x)
              9. MEXPR01MB1750.ausprd01.prod.outlook.com(x.x.x.x)

Embedded links: (see full URLs: 
		\phishcracker_output\phishcracker_embeddedlinks_1500885495.94.txt")
              http://marcomatteo.duia.us/a2 < malicious:1 | Netcraft >


Done processing all emails in Mailbox - Mark Alvarez -> Phish
Elapsed Time: 181.927000046 seconds.

Source Code:

Get it from github.