Phishing - Get Original Email Loop
When the "Get Original Email - Generic v2" playbook is looped, there is no actual way to distinguish which retrieved file is related to which Message-ID. In order to solve this issue, this playbook will be looped instead and will output the "FileAssociation" key with the File-MessageID association.
Phishing · 8 tasks · 3 inputs · 4 outputs
Inputs
MessageID— The original email message ID to retrieve. This should hold the value of the "Message-ID" header of the original email.UserID— The email address of the user to fetch the original email for. For Gmail, the authenticated user.EmailBrand— If this value is provided, only the relevant playbook runs. If no value is provided, all sub-playbooks are run. Possible values: - Gmail - EWS v2 - EWSO365 - MicrosoftGraphMail - EmailSecurityGateway Choosing EmailSecurityGateway executes the following if enabled: - FireEye EX (Email Security) - Proofpoint TAP - Mimecast
Outputs
FileAssociation— When this playbook is looped, the EntryID of each retrieved eml file would be saved alongside the associated Message-ID inside the "FileAssociation" context key.FileAssociation.EntryID— The retrieved file EntryID. When this playbook is looped, the EntryID of each retrieved eml file would be saved alongside the associated Message-ID inside the "FileAssociation" context key.FileAssociation.MessageID— The retrieved email Message-ID. When this playbook is looped, the EntryID of each retrieved eml file would be saved alongside the associated Message-ID inside the "FileAssociation" context key.File— The original email attachments.