/meioc

Extracting IoC data from eMail

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Meioc

Meioc (Mail Extractor IoC) is a python3 script to extract indicators of compromised from eMail.

Meioc allows you to extract the following information from an e-mail, in JSON format:

  • From
  • Sender
  • X-Sender
  • To
  • Cc
  • Bcc
  • Envelope-to
  • Delivered-to
  • Return-Path
  • Subject
  • Date
  • User-Agent
  • X-Originating-IP
  • Relay Full
  • Relay IP (Only the IPs involved with the possibility of excluding private IPs)
  • Urls
  • Domains
  • Attachments with hash
  • Check SPF record

Default keys

These are the default keys generated by Meioc, if the value does not exist a null is returned.

{
    "filename": "filename.eml",
    "from": null,
    "sender": null,
    "x-sender": null,
    "to": null,
    "cc": null,
    "bcc": null,
    "envelope-to": null,
    "delivered-to": null,
    "return-path": null,
    "subject": null,
    "date": null,
    "user-agent": null,
    "x-originating-ip": null,
    "relay_full": null,
    "relay_ip": null,
    "spf": null,
    "urls": null,
    "domains": null,
    "attachments": null
}

To Do List

  • Support .msg files

Requirements

pip3 install -r requirements.txt

Example

python3 meioc.py --exclude-private-ip --spf malspam.eml 

output:

{
    "filename": "malspam.eml",
    "from": "clienti2eurocompanysrl@example.it",
    "sender": null,
    "x-sender": null,
    "to": {
        "0": "info@example.com",
        "1": "rossi.mario@example.com"
    },
    "cc": null,
    "bcc": null,
    "envelope-to": {
        "0": "info@example.com",
        "1": "rossi.mario@example.com"
    },
    "delivered-to": null,
    "return-path": "clienti2eurocompanysrl@example.it",
    "subject": "Conferma ordine",
    "date": "Sun, 17 Feb 2019 09:33:23 +0100",
    "user-agent": null,
    "x-originating-ip": null,
    "relay_full": {
        "0": "[127.0.0.1] (helo=localhost)",
        "1": "[123.123.111.111] (helo=dyl.example.kpk)",
        "2": "h138-ipv4-70-58-178.example.com ([123.58.178.138]:60889)",
        "3": "whm.example.com"
    },
    "relay_ip": {
        "0": "123.123.111.111",
        "1": "123.58.178.138",
    },
    "spf": false,
    "urls": {
        "0": "http://example.com/Clients_transactions/012019"
    },
    "domains": {
        "0": "example.com"
    },
    "attachments": [
        {
            "filename": "f52-RICHIESTA.AVVISO-Conferma-199913-0000.n.03.2019-All.n.1_File-excel-.xls",
            "MD5": "b011871621fb8e15edbc80eec2fb396e",
            "SHA1": "8a7d2839645842f862da8ff3cb8af7b1d783e728",
            "SHA256": "34669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690"
        }
    ]
}

License

GNU General Public License v3.0