MSG

Supported formats

MSG (created by Microsoft Outlook)

Description

The MSG file format is a proprietary file format used by Microsoft Outlook to store individual email messages, and possibly other objects. These files are typically created when a user saves an email or other Outlook item to disk from within the Outlook application. While the format is primarily used for archiving purposes, the .msg files can be easily opened on Windows systems and they are sometimes used for malicious purposes. This backend can extract data from such files for further inspection.

info

Available in Contextal Platform 1.0 and later.

Symbols

Object

LIMITS_REACHED → limits triggered while processing the message archive

Children

TOOBIG → this part was not extracted as it exceeds the limits
CORRUPTED → the MSG structure presents errors preventing proper extraction of the child object
MSG_TEXT_BODY → a plaintext body is present
MSG_RTF_BODY → an RTF body is present
MSG_HTML_BODY → an HTML body is present
CRTF_CRC_MISMATCH → the RTF body cyclic redundancy check reported a data error

Example Metadata

{
   "org": "ctx",
   "object_id": "2243649c022ed0bda7cad98b4a976f40891cb3a1072db4b459c2fb73b753d600",
   "object_type": "MSG",
   "object_subtype": null,
   "recursion_level": 1,
   "size": 125952,
   "hashes": {
      "sha256": "2243649c022ed0bda7cad98b4a976f40891cb3a1072db4b459c2fb73b753d600",
      "md5": "f7813b6d52b6fc02bece1c63cbe341be",
      "sha1": "78cd66fbccbe3b111ce120fff433ed6e70082f6b",
      "sha512": "cea767abe3d07d31bb6a66afb57e26393e17d3955a4d5b6ba7c3a944a3d74adcb363db56685542dcd070625451fb3d4dda80b170ed06248c617e478e74efa87e"
   },
   "ctime": 1727715322.335515,
   "ok": {
      "symbols": [],
      "object_metadata": {
         "_backend_version": "1.0.0",
         "attachments_by_ref": [],
         "from": "Account_payable-Remittance_Transfer 7c1f4bc540f0a05b137807c887dcf5e285fc51e8 <Account_payable-Remittance_Transfer.NPXZfLqcBrjyHKtrXLdZVxMgnoJWYmtdgCFqPwvLXnCYkgDsTaRmJFnHPKvTxLmbUVNpx********customercare@******.com>",
         "has_html_body": false,
         "has_rtf_body": false,
         "has_text_body": false,
         "headers": [
            [
               "from",
               "\"Account_payable-Remittance_Transfer 7c1f4bc540f0a05b137807c887dcf5e285fc51e8\" <Account_payable-Remittance_Transfer.NPXZfLqcBrjyHKtrXLdZVxMgnoJWYmtdgCFqPwvLXnCYkgDsTaRmJFnHPKvTxLmbUVNpx********customercare@******.com>"
            ],
            [
               "to",
               "jlaz***********es.com"
            ],
            [
               "subject",
               "Inward Remittance - 9/26/2024 Ref:7c1f4bc540f0a05b137807c887dcf5e285fc51e8"
            ],
            [
               "message-id",
               "<305dddfd-08af-6e30-9acb-3efdbc2b8676@*****s.com>"
            ],
            [
               "return-path",
               " Account_payable-Remittance_Transfer.NPXZfLqcBrjyHKtrXLdZVxMgnoJWYmtdgCFqPwvLXnCYkgDsTaRmJFnHPKvTxLmbUVNpx********customercare@******.com>"
            ]
         ],
         "is_embedded": false,
         "n_attachments": 1,
         "recipients": [
            {
               "email": "jla*************s.com",
               "kind": "To",
               "name": "J***********i"
            }
         ]
      },
      "children": [
         {
            "org": "ctx",
            "object_id": "ec0998e71e64960ced75291893b1622f894cee29577644cc7513b958e9d17cc8",
            "object_type": "HTML",
            "object_subtype": null,
            "recursion_level": 2,
            "size": 2614,
            "hashes": {
               "sha512": "038b3b317598d6f410cbcf146687a8c1ee8e8bd861791b8a3f835de4a199e93651d3abcb29e00fcc69342f79bb08e7dc59f4ada270a5f31c38ac5ab16ba7a6f6",
               "md5": "1cc304a7a45f0cca4e604238ecc29a6f",
               "sha256": "ec0998e71e64960ced75291893b1622f894cee29577644cc7513b958e9d17cc8",
               "sha1": "f01841bc33ab0ecef012b4fc8d45d873db2ca953"
            },
            "ctime": 1727715322.335515,
            "relation_metadata": {
               "mime_type": "text/plain",
               "name": "Inward Remittance_(J*******i)CQDM.html"
            },
            "ok": {
               "symbols": [],
               "object_metadata": {
                  "_backend_version": "1.0.0",
                  "encoding": "utf-8",
                  "forms": [],
                  "href": [],
                  "img_data_src": [],
                  "img_src": [],
                  "input_types": [],
                  "scripts": [],
                  "tag_count": 8,
                  "tag_counters": {
                     "b": 2,
                     "li": 1,
                     "nav": 1,
                     "script": 4
                  },
                  "unique_hosts": []
               },
               "children": []
            }
         }
      ]
   }
}

Example Queries

object_type == "MSG"
  && @count_children() == 1
  && @has_child(object_type == "HTML"
       && @match_object_meta($tag_counters.script > 0)
       && !@has_child(object_type == "Text")
     )

This query matches an MSG object, which only has one child of HTML type, which contains scripts but from which no text is extracted (therefore we can assume it gets fully rendered by JavaScript, which could be considered a very phishy behavior).

Configuration Options

max_processed_size → maximum size of the input object that will be processed (default: 262144000)
max_children → maximum number of children objects to create (default: 100)
max_child_output_size → maximum size of a single output children object (default: 41943040)

Supported formats​

Description​

Symbols​

Object​

Children​

Example Metadata​

Example Queries​

Configuration Options​