# tl;dr During long-term offensive campaigns, it is often required to keep tabs on what the defenders are doing. Reviewing email together with work chats is often the best way of doing that, but manually going through email webclients can be tedious. This post presents a simple alternative to that. # core idea The idea is to use [imapbox](https://github.com/polo2ro/imapbox) with an OpenSearch stack to automatically sync and review emails: ```j obtain credentials -> create imapbox configs -> auto-sync -> ingest into elastic -> create custom filters for alerts ``` # setting up imapbox `imapbox` is just a Python script with few dependencies, but I'd recommend a change: setting up a separate local folder for each email address, which makes the pulled data much more simple to deal with. My `imapbox` fork with several other improvements is still not ready to be public, but the change is very simple to implement: ```python # in load_configuration:        if config.has_option(section, 'local_folder'):             account['local_folder'] = config.get(section, 'local_folder') # in main: if 'local_folder' in account.keys(): basedir = os.path.join(account['local_folder'], account['name']) else: basedir = os.path.join(options['local_folder'], datetime.today().strftime('%Y-%m-%d'), account['name']) print("Basedir: ", basedir) ``` Also, I've set up some `.zshrc` functions for convenience: ```bash alias email-sync="proxychains4 -q python3 /root/git/imapbox/imapbox.py" imap-add() { if [[ -n "$1" && -n "$2" ]]; then echo "adding [email protected]:$2" echo >> /etc/imapbox/config.cfg echo "[$1]" >> /etc/imapbox/config.cfg echo "host=mail.client.com" >> /etc/imapbox/config.cfg echo "[email protected]" >> /etc/imapbox/config.cfg echo "password=$2" >> /etc/imapbox/config.cfg echo "ssl=True" >> /etc/imapbox/config.cfg echo "remote_folder=__ALL__" >> /etc/imapbox/config.cfg else echo "usage: imap-add <username> <password>" echo "(only for mail.client.com)" return -1 fi } imap-list() { grep username /etc/imapbox/config.cfg } alias email-cfg="micro /etc/imapbox/config.cfg" ``` The usage thus is very simple to sync the emails: ``` $ imap-add admin1 p@ssw0rd! $ email-sync -a admin1 -v -d 7 # get 7 days of email ``` # manual review It is possible to manually review the emails downloaded with `jq` and `metadata.json`: ```bash $ find . -name "metadata.json" -type f | xargs cat | jq '[.Date, .Id, .Subject, " ✉ "] + .From + .To[0] | join(" ")' | grep -i alert Thu, 31 Sep 2022 17:13:08 +0300 email-id-goes-here A new SIEM alert ✉ [email protected] [email protected] [email protected] ``` # uploading to OpenStack After [setting up Opensearch](https://opensearch.org/docs/latest/opensearch/install/index/), syncing can be done with a simple `bash` script: ```bash #!/bin/bash shopt -s dotglob globstar trap "$(shopt -s dotglob globstar)" RETURN if [ -z "$1" ] then DUMP_DATE=`date '+%Y-%m-%d'` else DUMP_DATE=$1 fi # directory structure may require some changes, but find should be enough here as well for e_files in $DUMP_DATE/*/**/* ; do if [[ $e_files == *metadata.json ]] then echo $e_files EMAIL_ID=`jq -r '.Id' "$e_files" | tr -d '<>'` echo $EMAIL_ID curl -k -XPUT -H 'Content-Type: application/json' "http://opensearch.local:9200/imapbox-2/_doc/${EMAIL_ID}?pretty" --data-binary "@$e_files" fi done ``` Finally, the emails could be searched, reviewed, and sorted based on the ingested fields: ![[Pasted image 20221028170749.png]] So far, the most useful perk of this approach has been time range search with subject filtering, but much more convoluted filters could be built with OpenSearch.