Uploading an Email to the Sandbox

Recorded Future Sandbox can analyze emails directly, quickly pulling out attachments and URLs to run in virtual machines (VMs). However, the mechanism may be a little different to those found elsewhere. This article examines how it works and detail how to get the most out of the feature.

Uploading an email

Emails can be submitted in .eml and .msg formats. These are effectively archive files that contain the text of the email bundled with any attachments and other included data. The sandbox treats them as such, extracting them in the same way as .zip and similar formats during the static analysis phase.

In the following example, the email contains a short piece of text with an embedded link and 2 attachments - a Word document and a .zip file containing an Excel document.

Once uploaded, all attachments display in the File Tree section of the configuration page. By default, the sandbox auto-selects any files that may benefit from behavioral analysis and appear on the list of supported file formats (more details in our docs here).

Selecting attachments

Looking at the File Tree section of the screenshot above, there are a few points to note:

  • .docx and .xlsx are supported file types, so these are both automatically selected for behavioral analysis in VMs
  • The email text content is saved as .txt files within the archive; .txt is not supported for behavioral analysis so these are not selected
  • .eml and .zip are archive formats - just wrappers around the actual content; these are not selected for the behavioral analysis stage
  • URLs are extracted and shown separately on the right

It is possible to manually override the automatic file selection, but note that unsupported file types may not react as expected within the VMs due to not having the relevant software installed. For the best sandbox experience, only submit the automatically selected files for behavioral analysis.

Important note: Submitting the .eml file to behavioral analysis does not yield useful results. The attachments and URLs should be selected directly for best results.

API

The submission API works the same for emails as for other archive files like .zip; attachments are extracted and selected as shown above, and on default settings (with the interactive flag set to false) behavioral analysis launches automatically for each relevant file with no further steps necessary.

Documentation and examples on how to submit samples via the API is available here.

Selecting URLs

Referring back to the screenshot above, the URL embedded in the email is extracted and displayed in the section on the right.

To submit a URL for behavioral analysis, click on the “Analyze” button next to it. This launches a new URL submission for that link, where you can select configuration options separately from the file analysis (for example, to enable Tor networking).

URLs are not automatically selected or submitted for analysis unless selected in this way.

API

Extracted URLs are shown in the static report for the analysis, and can then be re-submitted as URL analyses via new requests.

The process looks like this:

Step 1. Submit .eml file to sandbox

Request:

curl -H 'Authorization: Bearer <API_KEY>' -F 'file=@./eml_example.eml' 
-F 'interactive=true' https://tria.ge/api/v0/samples

Response:

{"id":"250212-mslr9azrbv","status":"pending","kind":"file","filename":
"eml_example.eml","submitted":"2025-02-12T10:43:42Z"}

Note the interactive flag in the request above. If you only want to look at the URLs in an email and aren’t concerned about attachments, this flag causes the sandbox to stop and wait after static analysis, rather than immediately scheduling analysis tasks for any files found. You can leave this out of the example above if preferred.

Step 2: Fetch the static analysis report

Request:

curl -H 'Authorization: Bearer <API_KEY>' 
https://tria.ge/api/v0/samples/250212-mslr9azrbv/reports/static | jq 
-r .files[0].metadata.urls

Response:

[

  "https://hatching.io/blog/#category=all"

]

Here, use the ID value returned by Step 1 to fetch the static analysis report and then use the jq command to filter only the URLs field.

There can be multiple files in an analysis, but in this case the .eml/.msg file itself is index 0 in the list so we can target that directly. Depending on use case, it may be best to iterate through the full files list - for example, PDF files can also have URLs extracted from them during static analysis, and this would catch any coming from that source.

Step 3: Submit URL analysis

Request:

curl -H 'Authorization: Bearer <API_KEY>' -F 
'url=https://hatching.io/blog/#category=all' 
https://tria.ge/api/v0/samples

Response:

{"id":"250212-mwgygawc2c","status":"pending","kind":"url","url":
"https://hatching.io/blog/#category=all","submitted":"2025-02-12T10:48:44Z"}

The analysis now runs the URL on default settings in a VM. You can view the analysis live and access the live interaction feature by visiting the URL in your browser. Just add the ID value to the end of the URL for the sandbox instance you use (e.g., https://tria.ge/250212-mwgygawc2c).

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more