Meioc (Mail Extractor IoC) is a Python script designed to analyze emails and extract indicators of compromise (IoC) in JSON format. It is a valuable tool for security analysts, system administrators, and anyone needing to investigate suspicious emails.
Meioc allows you to extract the following information from an email:
- Headers:
- From, Sender, X-Sender, To, Cc, Bcc, Envelope-to, Delivered-to, Return-Path, Subject, Date, User-Agent, X-Mailer, X-Originating-IP.
- Relay Information:
- Detailed server relay hops.
- IP addresses involved, with an option to exclude private IPs.
- Content Extraction:
- URLs found within the email.
- Extracted domains.
- Attachments with calculated hashes.
- Security Checks:
- SPF (Sender Policy Framework) validation.
- DKIM (DomainKeys Identified Mail) validation.
Meioc is a versatile tool with various applications in email analysis and security:
- Email Forensics: Investigate suspicious emails by extracting relay information, validating SPF/DKIM, and analyzing URLs or attachments.
- Threat Intelligence: Enrich threat intelligence by extracting indicators of compromise (IoCs) like file hashes, domains, and URLs.
- Incident Response: Accelerate response times by automating the analysis of suspicious emails and integrating results into incident workflows.
- Phishing Detection: Identify phishing campaigns by validating sender authenticity and detecting suspicious links or domains.
- Malware Analysis: Analyze potentially malicious attachments by extracting and verifying file hashes against known malware databases.
- SIEM Integration: Feed JSON output into SIEM tools to enhance email event correlation and automate threat detection.
- Compliance and Audit: Ensure email configurations comply with organizational policies by verifying SPF/DKIM and relay paths.
These are the default keys generated by Meioc, if the value does not exist a null is returned.
{
"filename": "filename.eml",
"from": null,
"sender": null,
"x-sender": null,
"to": null,
"cc": null,
"bcc": null,
"envelope-to": null,
"delivered-to": null,
"return-path": null,
"subject": null,
"date": null,
"user-agent": null,
"x-mailer": null,
"x-originating-ip": null,
"relay_full": null,
"relay_ip": null,
"spf": null,
"dkim": null,
"urls": null,
"domains": null,
"attachments": null
}
- Clone the repository:
git clone https://github.com/drego85/meioc.git
- Install the required dependencies:
pip install -r requirements.txt
- Run the tool:
python3 meioc.py
Make sure you have Python 3.x installed.
Run Meioc by providing an .eml email file as input:
python3 meioc.py email_in_analysis.eml
- --exclude-private-ip (-x): Excludes private IPs from the results.
- --spf (-s): Enables SPF validation.
- --dkim (-d): Enables DKIM validation.
- --output (-o): Path to save the results in JSON format.
Below is an example of the JSON output generated by Meioc when analyzing an email. This structured output is designed for further processing in automated pipelines or manual investigation by analysts.
{
"filename": "malspam.eml",
"from": "clienti2eurocompanysrl@example.it",
"sender": null,
"x-sender": null,
"to": {
"0": "info@example.com",
"1": "rossi.mario@example.com"
},
"cc": null,
"bcc": null,
"envelope-to": {
"0": "info@example.com",
"1": "rossi.mario@example.com"
},
"delivered-to": null,
"return-path": "clienti2eurocompanysrl@example.it",
"subject": "Conferma ordine",
"date": "Sun, 17 Feb 2019 09:33:23 +0100",
"user-agent": null,
"x-mailer": "PHPMailer 5.2.2-rc2",
"x-originating-ip": null,
"relay_full": {
"0": "[127.0.0.1] (helo=localhost)",
"1": "[123.123.111.111] (helo=dyl.example.kpk)",
"2": "h138-ipv4-70-58-178.example.com ([123.58.178.138]:60889)",
"3": "whm.example.com"
},
"relay_ip": {
"0": "123.123.111.111",
"1": "123.58.178.138",
},
"spf": false,
"dkim": false,
"urls": {
"0": "http://example.com/Clients_transactions/012019"
},
"domains": {
"0": "example.com"
},
"attachments": [
{
"filename": "f52-RICHIESTA.AVVISO-Conferma-199913-0000.n.03.2019-All.n.1_File-excel-.xls",
"MD5": "b011871621fb8e15edbc80eec2fb396e",
"SHA1": "8a7d2839645842f862da8ff3cb8af7b1d783e728",
"SHA256": "34669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690"
}
]
}
There are two ways you can contribute to the development of meioc:
-
Development Contributions:
Please ensure that your code follows best practices and includes relevant tests.
-
Donation Support: If you find this project useful and would like to support its development, you can also make a donation via Buy Me a Coffee. Your support is greatly appreciated and helps to keep this project going!
This project is licensed under the GNU General Public License v3.0.