Skip to content

drego85/meioc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Meioc

Version GPLv3 Python 3.7+

Meioc (Mail Extractor IoC) is a Python script designed to analyze emails and extract indicators of compromise (IoC) in JSON format. It is a valuable tool for security analysts, system administrators, and anyone needing to investigate suspicious emails.

Features

Meioc allows you to extract the following information from an email:

  • Headers:
    • From, Sender, X-Sender, To, Cc, Bcc, Envelope-to, Delivered-to, Return-Path, Subject, Date, User-Agent, X-Mailer, X-Originating-IP.
  • Relay Information:
    • Detailed server relay hops.
    • IP addresses involved, with an option to exclude private IPs.
  • Content Extraction:
    • URLs found within the email.
    • Extracted domains.
    • Attachments with calculated hashes.
  • Security Checks:
    • SPF (Sender Policy Framework) validation.
    • DKIM (DomainKeys Identified Mail) validation.

Use Cases

Meioc is a versatile tool with various applications in email analysis and security:

  1. Email Forensics: Investigate suspicious emails by extracting relay information, validating SPF/DKIM, and analyzing URLs or attachments.
  2. Threat Intelligence: Enrich threat intelligence by extracting indicators of compromise (IoCs) like file hashes, domains, and URLs.
  3. Incident Response: Accelerate response times by automating the analysis of suspicious emails and integrating results into incident workflows.
  4. Phishing Detection: Identify phishing campaigns by validating sender authenticity and detecting suspicious links or domains.
  5. Malware Analysis: Analyze potentially malicious attachments by extracting and verifying file hashes against known malware databases.
  6. SIEM Integration: Feed JSON output into SIEM tools to enhance email event correlation and automate threat detection.
  7. Compliance and Audit: Ensure email configurations comply with organizational policies by verifying SPF/DKIM and relay paths.

Default keys

These are the default keys generated by Meioc, if the value does not exist a null is returned.

{
    "filename": "filename.eml",
    "from": null,
    "sender": null,
    "x-sender": null,
    "to": null,
    "cc": null,
    "bcc": null,
    "envelope-to": null,
    "delivered-to": null,
    "return-path": null,
    "subject": null,
    "date": null,
    "user-agent": null,
    "x-mailer": null,
    "x-originating-ip": null,
    "relay_full": null,
    "relay_ip": null,
    "spf": null,
    "dkim": null,
    "urls": null,
    "domains": null,
    "attachments": null
}

Installation

  1. Clone the repository:
git clone https://github.com/drego85/meioc.git
  1. Install the required dependencies:
pip install -r requirements.txt
  1. Run the tool:
python3 meioc.py

Make sure you have Python 3.x installed.

Usage

Run Meioc by providing an .eml email file as input:

python3 meioc.py email_in_analysis.eml 

Key Options

  • --exclude-private-ip (-x): Excludes private IPs from the results.
  • --spf (-s): Enables SPF validation.
  • --dkim (-d): Enables DKIM validation.
  • --output (-o): Path to save the results in JSON format.

Sample Output

Below is an example of the JSON output generated by Meioc when analyzing an email. This structured output is designed for further processing in automated pipelines or manual investigation by analysts.

{
    "filename": "malspam.eml",
    "from": "[email protected]",
    "sender": null,
    "x-sender": null,
    "to": {
        "0": "[email protected]",
        "1": "[email protected]"
    },
    "cc": null,
    "bcc": null,
    "envelope-to": {
        "0": "[email protected]",
        "1": "[email protected]"
    },
    "delivered-to": null,
    "return-path": "[email protected]",
    "subject": "Conferma ordine",
    "date": "Sun, 17 Feb 2019 09:33:23 +0100",
    "user-agent": null,
    "x-mailer": "PHPMailer 5.2.2-rc2",
    "x-originating-ip": null,
    "relay_full": {
        "0": "[127.0.0.1] (helo=localhost)",
        "1": "[123.123.111.111] (helo=dyl.example.kpk)",
        "2": "h138-ipv4-70-58-178.example.com ([123.58.178.138]:60889)",
        "3": "whm.example.com"
    },
    "relay_ip": {
        "0": "123.123.111.111",
        "1": "123.58.178.138",
    },
    "spf": false,
    "dkim": false,
    "urls": {
        "0": "http://example.com/Clients_transactions/012019"
    },
    "domains": {
        "0": "example.com"
    },
    "attachments": [
        {
            "filename": "f52-RICHIESTA.AVVISO-Conferma-199913-0000.n.03.2019-All.n.1_File-excel-.xls",
            "MD5": "b011871621fb8e15edbc80eec2fb396e",
            "SHA1": "8a7d2839645842f862da8ff3cb8af7b1d783e728",
            "SHA256": "34669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690"
        }
    ]
}

Contributing and Supporting the Project

There are two ways you can contribute to the development of meioc:

  1. Development Contributions:

    Please ensure that your code follows best practices and includes relevant tests.

  2. Donation Support: If you find this project useful and would like to support its development, you can also make a donation via Buy Me a Coffee. Your support is greatly appreciated and helps to keep this project going!

    Buy Me a Coffee

License

This project is licensed under the GNU General Public License v3.0.