How to forward a forensic copy of an email as an attachment

If you receive a fraudulent email, can be very useful to send a full forensic copy to an organization that is being spoofed, industry partners, and law enforcement.

When a user clicks forward in a mail client, the client copies the message’s content and attachments to a new message. The original message headers are not included.

In order to send a full forensic sample that includes the original message headers, the original message must be sent as an attachment in a new message. The process for doing this varies by mail client.

AOL webmail

  1. In the list of emails in your in inbox or folder, right click on the message (not in the message itself)
  2. Click View Message Source
  3. Select the entire raw message content, copy it, paste it into an empty text editor, and save the file with a .eml file extension
  4. Attach the file to a new email, and send it

Apple Mail on macOS

  1. Right click on the message in the list of messages
  2. Click Forward as Attachment
  3. Fill in the To field, and click send

Gmail/Google Workspace webmail

  1. Open the message
  2. Click on the three vertical dots in the upper right
  3. Click Show original
  4. Click Download Original, save it, and send it as an attachment in a new message

GoDaddy and Rackspace webmail

  1. Open the message you want to forward. To forward multiple emails, instead of opening an email, use the checkboxes to select the emails you want to forward.
  2. In the top right corner of the page, click the More Actions menu.
  3. Select Fwd. as Attachment.
  4. Click Apply. A new email is created with a .eml file attached.
  5. When the rest of the message is ready to go, click Send.

GroupWise

  1. From the GroupWise item list, select the e-mail(s) you wish to forward (multiple messages can be selected with Shift-Click, Ctrl-Click, etc.)
  2. Select the Action Menu
  3. From the Action Menu, select the “Forward As Attachment” Item
  4. Fill in the To field, and click Send

Notes

  1. Open the email
  2. Save it to a file by going to the File > Save As menu item
  3. Attach the file to a new email and send it

Outlook.com/Office 365 webmail

  1. Open the web mail in two browser windows
  2. Create a new email in one browser window
  3. In the other browser window, drag the email you want to attach from your email list, and drop it in the blank email
  4. Fill out the To field, and click send

Outlook for macOS

  1. In the messages list, right click the message you want to forward
  2. Click Forward As Attachment
  3. Fill in the To field, and click Send

Outlook for Windows

  1. Create a new email
  2. Drag the message you want to forward from the messages list and drop it in the blank message body
  3. Fill in the To field, and click Send

ProtonMail webmail

  1. Open the message you want to forward
  2. Click on the down arrow, to the tight of the forward button
  3. Click Export, and save the decrypted email
  4. Create a new email, and add the exported email as an attachment
  5. Fill out the To field, and click send

Thunderbird

  1. In the messages list, right click on the message you want to forward (or select multiple messages and then right click)
  2. Select Forward as attachment
  3. Fill in the To field and click Send

Windows 10 Mail app

  1. Open the message
  2. Click on the three horizontal dots in the upper right
  3. Click Save As, and save the email as a file
  4. Attach the saved file to a new email, fill in the To field, and click send

Yahoo webmail

  1. Open the the message
  2. Click on the three horizontal dots in the upper right, and click View Raw Message
  3. Select the entire raw message content, copy it, paste it into an empty text editor, and save the file with a .eml file extension
  4. Attach the file to a new email, and send it

10 thoughts on “How to forward a forensic copy of an email as an attachment”

  1. Used the yahoo mail instructions with great success. Very simply and understandable instructions, though being VERY low tech., I had to research “text editor”.

    Reply
  2. Sean – I followed your yahoo instructions and I’m wondering what you’re talking about. The text attachment comes in as a messy text. You think people want to read that? If there is no solution, then don’t post one.

    Reply
    • Suzana,

      Speaking as a cybersecurity expert and cyber forensic professional… what you see as “messy text” is the meat and potatoes of what we do for a living.

      Those of us who do cyber security, as well as programmers and other computer experts, can make perfect sense out of that “messy text”, and it allows us to determine where the email is trying to re-direct you to, and what other malicious activity it might want to cause on your system.

      To paraphrase your last line… “If you don’t know what you’re talking about, you should probably keep quiet.”

      Reply
  3. How do I send an attachment of a spoofed email from my yahoo email app! I have no computer. I only have my iPhoneXR. In this case it’s a spoofed Walmart email in my yahoo app inbox.

    Reply
  4. Works perfectly for Yahoo mail. I wonder how much of learning and research you must have done to give solutions for different applications !!! Great work.

    Reply
  5. Fantastic! I’ve been trying to figure out how to export original/forensic e-mails from Yahoo Mail to the MS Outlook client on Win10 since Yahoo disabled creation of app passwords for new POP/SMTP connections months ago.

    I knew I could view each raw message but not that saving as a .eml file would allow such files to be opened directly from disk by the Outlook client, with no need to forward anything.

    Thank you so much!

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.