When should I Flatten Attachments in an Email Trigger?

If I’m doing a Phishing Workflow, when should I set the flag to flatten attachments in the Email Trigger?
What are the benefits of doing it and what restrictions will I have if I set it or don’t set it?

I’d almost always flatten attachments honestly. It’s just easier to iterate over everything and look for indicators.

The only time I wouldn’t: If you know exactly what your email structure is coming in as. So when your user hits the Phish button, it forwards the malicious email as an attachment, and you know you’re always going to deal with the first attachment of that email.

(But even then, I’d probably flatten and just ignore the original email in the indicator analysis).

If you don’t set flatten, the emails will come in nested. So like

email -> attachment -> attachment of attachment -> file1, file2 etc...

if you flatten it will always look like

email -> attachment
      -> attachment of attachment
      -> file 1
      -> file 2

Does that help?

Actually, the case for not flattening attachments is when you’re dealing with a known email. So maybe I set up a workflow to process files, photos, or user on-boarding for example.

I could trigger that workflow with a particular attachment, and since I know exactly how that email looks coming in, I know exactly where to look in the attachment structures for the info I need.

I see how to parse out URLs and send them to VirusTotal, but how would I submit the email to something like JoeSandbox that needs a Base64? Would I use the Base64 Action on the body?

Interesting…I don’t think you can send an email that pops out of O365 or Gmail to JoeSandbox. We deconstruct the email to get it’s parts and then pass those out as output. I don’t think you can get at the email as a whole.

What JoeSandbox is expecting is for the workflow to send a base64 version of the whole .eml file.

It’s something we could add, but it would take a while, as it’d affect all our email plugins.

that is good to know, I will hold off on this for now and keep an eye out to see if it gets added in the future