Meioc (Mail Extractor IoC) is a python3 script to extract indicators of compromised from eMail.
Meioc allows you to extract the following information from an e-mail, in JSON format:
- From
- Sender
- X-Sender
- To
- Cc
- Bcc
- Envelope-to
- Delivered-to
- Return-Path
- Subject
- Date
- User-Agent
- X-Originating-IP
- Relay Full
- Relay IP (Only the IPs involved with the possibility of excluding private IPs)
- Urls
- Domains
- Attachments with hash
- Check SPF record
These are the default keys generated by Meioc, if the value does not exist a null is returned.
{
"filename": "filename.eml",
"from": null,
"sender": null,
"x-sender": null,
"to": null,
"cc": null,
"bcc": null,
"envelope-to": null,
"delivered-to": null,
"return-path": null,
"subject": null,
"date": null,
"user-agent": null,
"x-originating-ip": null,
"relay_full": null,
"relay_ip": null,
"spf": null,
"urls": null,
"domains": null,
"attachments": null
}
- Support .msg files
pip3 install -r requirements.txt
python3 meioc.py --exclude-private-ip --spf malspam.eml
output:
{
"filename": "malspam.eml",
"from": "[email protected]",
"sender": null,
"x-sender": null,
"to": {
"0": "[email protected]",
"1": "[email protected]"
},
"cc": null,
"bcc": null,
"envelope-to": {
"0": "[email protected]",
"1": "[email protected]"
},
"delivered-to": null,
"return-path": "[email protected]",
"subject": "Conferma ordine",
"date": "Sun, 17 Feb 2019 09:33:23 +0100",
"user-agent": null,
"x-originating-ip": null,
"relay_full": {
"0": "[127.0.0.1] (helo=localhost)",
"1": "[123.123.111.111] (helo=dyl.example.kpk)",
"2": "h138-ipv4-70-58-178.example.com ([123.58.178.138]:60889)",
"3": "whm.example.com"
},
"relay_ip": {
"0": "123.123.111.111",
"1": "123.58.178.138",
},
"spf": false,
"urls": {
"0": "http://example.com/Clients_transactions/012019"
},
"domains": {
"0": "example.com"
},
"attachments": [
{
"filename": "f52-RICHIESTA.AVVISO-Conferma-199913-0000.n.03.2019-All.n.1_File-excel-.xls",
"MD5": "b011871621fb8e15edbc80eec2fb396e",
"SHA1": "8a7d2839645842f862da8ff3cb8af7b1d783e728",
"SHA256": "34669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690"
}
]
}
GNU General Public License v3.0