Connect your mail infrastructure to MISP in order to create events based on the information contained within mails.
m2m_attachment_keyword
)You can send mails with attachments to mail_to_misp and tell it, to treat the attachment as a benign document (in contrast to the default behaviour: treating it as a malware sample). You need to set a keyword in the configuration:
m2m_attachment_keyword = 'attachment:benign'
enforcewarninglist=True
)sighting=True
, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"
)key:yourkey
is specified in mail (configurable, m2m_key
, m2m_auto_distribution
)
The m2m_key configuration
is used to specify a secret only you and your users know. If you know the key, you can send a mail to your mail_to_misp instance, and when this key is present in the body of the message, it will automatically publish the event. So let’s assume your config says: m2m_key = 'ABCDEFGHIJKLMN0PQRSTUVWXYZ'
If you send a mail to mail_to_misp containing: key:ABCDEFGHIJKLMN0PQRSTUVWXYZ
the event is automatically published.
If you don’t want to use this feature, just don’t put it in the message body.
The distribution is defined in the configuration as well: m2m_auto_distribution = '3' # 3 = All communities
For OSINT collection purposes (like collecting URLs to OSINT reports), you can tell mail_to_misp
to only extract URLs (--urlsonly
) and append them to a predefined MISP event (--event N
). The subject of such a mail goes into the comment field of the value.
Example:
osinturlcollection: "|/path/to/mail_to_misp.py --urlsonly --event 12345 -"
m2m:<parameter>:<Value>
# Examples
m2m:attachment:benign # Email attachment considered benign (attachment in MISP, malware-sample by default)
m2m:attach_original_mail:1 # Attach the full original email to the MISP Event (may contain private information)
m2m:m2mkey:YOUSETYOURKEYHERE # Key required for some actions
# The following key are ignored if M2M:m2mkey is invalid
m2m:distribution:<0-3,5> # Note: impossible to pass a sharing group yet.
m2m:threat_level:<0-2>
m2m:analysis:<0-3>
m2m:publish:1 # Autopublish
The implemented workflow is mainly for mail servers like Postfix. Client side implementations exist but are no longer supported:
Email -> mail_to_misp
Email -> Outlook -> O365MISPClient -> mail_to_misp
Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP
Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP
misp_handler: "|/path/to/mail_to_misp.py -"
$ sudo newaliases
You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.
If you want to process all incoming junk mails automatically and collect the contained information in a separate throw-away MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance. It can also be configured to listen on an SSL port. (465)
Configure mail_to_misp_config.py
cp fake_smtp_config.py-example fake_smtp_config.py
Make port 25 accessible to normal users
$ sudo apt install authbind
$ sudo touch /etc/authbind/byport/25
$ sudo chown misp:misp /etc/authbind/byport/25
$ sudo chmod 770 /etc/authbind/byport/25
$ python3 fake_smtp.py
.load_o365_email
and .process_o365_email_body
Run mail_to_misp_o365.py to get the last 1 day of messages
$ python3 mail_to_misp_0365.py -nd 1
You should be able to create MISP events now.
Outlook is not implemented due to lack of test environment. However, it should be feasible to do it this way:
import win32com.client
import pythoncom
class Handler_Class(object):
def OnNewMailEx(self, receivedItemsIDs):
for ID in receivedItemsIDs.split(","):
# Microsoft.Office.Interop.Outlook _MailItem properties:
# https://msdn.microsoft.com/en-us/library/microsoft.office.interop.outlook._mailitem_properties.aspx
mailItem = outlook.Session.GetItemFromID(ID)
print "Subj: " + mailItem.Subject
print "Body: " + mailItem.Body.encode( 'ascii', 'ignore' )
print "========"
outlook = win32com.client.DispatchWithEvents("Outlook.Application", Handler_Class)
pythoncom.PumpMessages()
(from: https://blog.matthewurch.ca/?p=236)
Obviously, you would like to filter mails based on subject or from address and pass subject and body to mail_to_misp.py in order to do something useful. Pull-requests welcome for actual implementations :)
pip install --user poetry
# Install other python requirements
poetry install -E fileobjects -E openioc -E virustotal -E email -E url
# Test if the script is working
./mail_to_misp.py -h
This software is licensed under GNU Affero General Public License version 3