fix: support msg files as well as eml

Author: sodle-splunk

pyproject.toml

@@ -6,10 +6,10 @@ license = "Copyright (c) 2017-2025 Splunk Inc."
 requires-python = ">=3.13, <3.15"
 authors = []
 dependencies = [
-    "beautifulsoup4>=4.14.2",
+    "beautifulsoup4>=4.13,<4.14",
     "msal>=1.31.0",
     "requests>=2.32.0",
-    "splunk-soar-sdk>=3.15.1",
+    "splunk-soar-sdk>=3.17.0",
 ]
 
 # [tool.uv.sources]

src/app.py

@@ -33,12 +33,17 @@
     IP_REGEX,
     URI_REGEX,
 )
-from soar_sdk.extras.email.rfc5322 import extract_rfc5322_email_data
+from soar_sdk.extras.email.email_data import extract_email_data
 from soar_sdk.extras.email.utils import clean_url, is_ip
 from soar_sdk.logging import getLogger
 from soar_sdk.models.artifact import Artifact
 from soar_sdk.models.container import Container
-from soar_sdk.models.finding import Finding, FindingAttachment, FindingEmail
+from soar_sdk.models.finding import (
+    Finding,
+    FindingAttachment,
+    FindingEmail,
+    FindingEmailReporter,
+)
 from soar_sdk.params import OnESPollParams, OnPollParams
 from soar_sdk.webhooks.models import WebhookRequest, WebhookResponse
 
@@ -787,18 +792,69 @@ def on_es_poll(
                         if isinstance(eml_content, str)
                         else eml_content.decode("utf-8", errors="replace")
                     )
-                    attachments.append(
-                        FindingAttachment(
-                            file_name=f"{subject[:50]}.eml",
-                            data=raw_eml,
-                            is_raw_email=True,
-                        )
-                    )
-
                     try:
-                        parsed = extract_rfc5322_email_data(
+                        parsed = extract_email_data(
                             eml_str, email_id, include_attachment_content=True
                         )
+
+                        # Check for a forwarded email attachment (.eml or .msg)
+                        reporter = None
+                        forwarded_att = None
+                        for att in parsed.attachments:
+                            if att.content and att.filename.lower().endswith((".eml", ".msg")):
+                                forwarded_att = att
+                                break
+
+                        if forwarded_att is not None:
+                            # Build reporter from the outer (forwarding) email
+                            outer_body = parsed.body.plain_text or parsed.body.html or ""
+                            reporter = FindingEmailReporter(
+                                **{"from": parsed.headers.from_address or ""},
+                                to=parsed.headers.to,
+                                cc=parsed.headers.cc,
+                                bcc=parsed.headers.bcc,
+                                subject=parsed.headers.subject,
+                                message_id=parsed.headers.message_id,
+                                id=parsed.headers.email_id,
+                                body=outer_body or None,
+                                date=parsed.headers.date,
+                            )
+
+                            # Optionally include the outer (reporter) EML
+                            if asset.ingest_eml:
+                                attachments.append(
+                                    FindingAttachment(
+                                        file_name=f"{subject[:50]}.eml",
+                                        data=raw_eml,
+                                        is_raw_email=False,
+                                    )
+                                )
+
+                            # Re-parse from the inner (forwarded) email
+                            inner_eml_bytes = forwarded_att.content
+                            attachments.append(
+                                FindingAttachment(
+                                    file_name=forwarded_att.filename,
+                                    data=inner_eml_bytes,
+                                    is_raw_email=True,
+                                )
+                            )
+                            parsed = extract_email_data(
+                                inner_eml_bytes, include_attachment_content=True
+                            )
+                            if parsed.headers.subject:
+                                subject = parsed.headers.subject
+                        else:
+                            # No forwarded email — attach the outer EML as the raw email
+                            attachments.append(
+                                FindingAttachment(
+                                    file_name=f"{subject[:50]}.eml",
+                                    data=raw_eml,
+                                    is_raw_email=True,
+                                )
+                            )
+
+                        # Build finding from parsed email (inner if forwarded, outer otherwise)
                         body_text = parsed.body.plain_text or parsed.body.html or ""
                         email_headers = {
                             k: v for k, v in parsed.to_dict()["headers"].items() if v
@@ -807,6 +863,7 @@ def on_es_poll(
                             headers=email_headers or None,
                             body=body_text or None,
                             urls=parsed.urls or None,
+                            reporter=reporter,
                         )
                         for att in parsed.attachments:
                             if att.content: