glenn888 Posted December 12, 2013 Report Share Posted December 12, 2013 Hello. Just registered in this community. May I ask someone who can give an advise on how to export email attachments with specific file extensions. We are looking for possible phishing attempts from external emails that may have attachments which could be malicious. Thank you. Quote Link to comment Share on other sites More sharing options...
admin Posted December 12, 2013 Report Share Posted December 12, 2013 Hi Glenn, I am sure there is more than one way to do this. Here is 2 rough process that should get you most of the way there... 1. Use the Location facet to load all sources 2. Use the Type facet to Include Email messages 3. Open the Column Chooser, Select, "Attachments" and "Type" 4. In the results view sort by "Attachments" 5. Highlight the items that have attachments of interest and tag. 6. Export items in that tag. 7. Optional based on need - Use Parent options to export only Top-Level parents. A. Create a Keyword list with the extensions you are looking for *.exe *.scr *.msi *.html *.htm *.XXX B. Run the Keyword List C. Use the Type facet to load all emails D. Review the overlap Cluster between the KW list and the email Clusters using the "Attachments" Column.. E. Tag and export. F. Save results as a saved search for reuse. You will need to do some tweaking of these approaches to get it right. It will also require some visual review to select the attachment types of interest. Hope this helps. Quote Link to comment Share on other sites More sharing options...
glenn888 Posted December 15, 2013 Author Report Share Posted December 15, 2013 Thank you for your reply. I think this will help a lot. Perhaps you can also show me the way to extract embedded URLs from emails to a CSV format and in this way it would be much easier to identify unusual URLs. Thanks again. Quote Link to comment Share on other sites More sharing options...
admin Posted December 15, 2013 Report Share Posted December 15, 2013 Hi Glenn, Extracting embedded URL's to a CSV. This will need some work between Intella and Excel or Notepad ++ type tool. 1. Export > Words > All Words in case 2. Open in Excel > Filter on the Text Field > select all and copy to new table 3. Search for @ select all and clear contents > This will get rid of email addresses... 4. Search for www select all and copy to new table 5. Search for .com select all and copy to new table - sure you could do a .net, .org, .co.uk all that the same time... 6. ......... This process does need some work to perfect. You could probably write a small perl script or Notepad ++ macro to do this for you... If you do please share the results here so others can benefit along with you.. Quote Link to comment Share on other sites More sharing options...
jmg1288 Posted March 21, 2019 Report Share Posted March 21, 2019 Hello, I too have found this procedure to be very helpful, but I have run into some issues with Excel locking up due to the amount of data. I am working with a large volume of emails >20,000, looking for possible phishing attempts. Has anyone had any success extracting URL's from emails using any other method? I am using Intella Viewer 2.2.1. Thank you, Josh Quote Link to comment Share on other sites More sharing options...
Kalin Posted March 28, 2019 Report Share Posted March 28, 2019 Excel should not be abused for text processing 😄 AFAIR, Notepad++ supports PCRE, so it should be possible to filter URLs. For example of a full URI PCRE see https://stackoverflow.com/questions/161738/what-is-the-best-regular-expression-to-check-if-a-string-is-a-valid-url/190405#190405 You should also be able to run Content Analysis facet with some regex for URLs, then export values. Hopefully the facet will some day support full PCRE. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.