Has anyone found an effective way of creating a .eml from the 365 Email plugin or the icon_email.json output in general? My only workaround so far has been creating a .html to analyze the email body in addition to extracting the URLs and attachments. Was looking for a clean .eml submission to provide our sandbox tool(s).
1 Like
Hey Eric!
I am sure you’ve already figured out a solution for this, so very sorry about not providing an answer when you asked. I just noticed your question and figured I would partner with AI and give it a go.
I was able to accomplish this using the Python Plugin.
Taking the Office 365 email plugin trigger output, I pass the icon_email variable to the python step, and it provides a base64 encoded output. That along with the extension .eml will accomplish what you are looking for. You can see in my screenshot I am taking the trigger payload, passing to python, and the output of base64 is what I am seeking.
If I take that download file into CyberChef we can see it decodes just fine.
I then took it into Outlook to attempt to view it by saving the decoded output with the .eml extension and we get the results from the screenshot below.
I’ve attached the workflow for you. It also has a loop in there to pull out attached CSV and convert to JSON. Not needed for your use case, but feel free to make it your own.
Office 365 email received trigger.icon (43.4 KB)
Thank you! I’ve essentially gone through with encoding the email body using the Base64 plugin and submitting that as an HTML file, which does serve part of the purpose but I think this Python would enable to me to actually convert it to an .eml and submit it to a sandbox using office, so I really appreciate this.
Luckily we’re moving to a new malware analysis platform that will just host a mailbox so I’m hoping not to require too much more maintenance on breaking down the email json object in the near future.
1 Like