Information Security
| On
August 28, 2019 12:36 am

How to forward a forensic copy of an email as an attachment

By Sean Whalen
Share

If you receive a fraudulent email, can be very useful to send a full forensic copy to an organization that is being spoofed, industry partners, and law enforcement.

When a user clicks forward in a mail client, the client copies the message’s content and attachments to a new message. The original message headers are not included.

In order to send a full forensic sample that includes the original message headers, the original message must be sent as an attachment in a new message. The process for doing this varies by mail client.

Apple Mail on macOS

  1. Right click on the message in the list of messages
  2. Click Forward as Attachment
  3. Fill in the To field, and click send

Gmail/G Suite webmail

  1. Open the message
  2. Click on the three vertical dots in the upper right
  3. Click Show original
  4. Click Download Original, save it, and send it as an attachment in a new message

GoDaddy and Rackspace webmail

  1. Open the message you want to forward. To forward multiple emails, instead of opening an email, use the checkboxes to select the emails you want to forward.
  2. In the top right corner of the page, click the More Actions menu.
  3. Select Fwd. as Attachment.
  4. Click Apply. A new email is created with a .eml file attached.
  5. When the rest of the message is ready to go, click Send.

GroupWise

  1. From the GroupWise item list, select the e-mail(s) you wish to forward (multiple messages can be selected with Shift-Click, Ctrl-Click, etc.)
  2. Select the Action Menu
  3. From the Action Menu, select the “Forward As Attachment” Item
  4. Fill in the To field, and click Send

Notes

  1. Open the email
  2. Save it to a file by going to the File > Save As menu item
  3. Attach the file to a new email and send it

Outlook.com/Office 365 webmail

  1. Open the web mail in two browser windows
  2. Create a new email in one browser window
  3. In the other browser window, drag the email you want to attach from your email list, and drop it in the blank email
  4. Fill out the To field, and click send

Outlook for macOS

  1. In the messages list, right click the message you want to forward
  2. Click Forward As Attachment
  3. Fill in the To field, and click Send

Outlook for Windows

  1. Create a new email
  2. Drag the message you want to forward from the messages list and drop it in the blank message body
  3. Fill in the To field, and click Send

ProtonMail webmail

  1. Open the message you want to forward
  2. Click on the down arrow, to the tight of the forward button
  3. Click Export, and save the decrypted email
  4. Create a new email, and add the exported email as an attachment
  5. Fill out the To field, and click send

Thunderbird

  1. In the messages list, right click on the message you want to forward (or select multiple messages and then right click)
  2. Select Forward as attachment
  3. Fill in the To field and click Send

Windows 10 Mail app

  1. Open the message
  2. Click on the three horizontal dots in the upper right
  3. Click Save As, and save the email as a file
  4. Attach the saved file to a new email, fill in the To field, and click send

Yahoo webmail

  1. Open the the message
  2. Click on the three horizontal dots in the upper right, and click View Raw Message
  3. Select the entire raw message content, copy it, paste it into an empty text editor, and save the file with a .eml file extension
  4. Attach the file to a new email, and send it

This post was last modified on October 10, 2019 3:16 am

Sean Whalen

Sean Whalen is an Information Security Engineer in the healthcare industry, and founder of the InfoSec Speakeasy, specializing in intelligence and malware analysis. Previously, he worked as an intelligence analyst in the defense industry. He has a passion for open source software, and sci-fi.

View Comments

  • tried yahoo mail. it works. thanks man!

    Cancel reply

    Leave a Comment

  • Used the yahoo mail instructions with great success. Very simply and understandable instructions, though being VERY low tech., I had to research "text editor".

    Cancel reply

    Leave a Comment

  • Sean - I followed your yahoo instructions and I'm wondering what you're talking about. The text attachment comes in as a messy text. You think people want to read that? If there is no solution, then don't post one.

    Cancel reply

    Leave a Comment

    • Suzana,

      Speaking as a cybersecurity expert and cyber forensic professional... what you see as "messy text" is the meat and potatoes of what we do for a living.

      Those of us who do cyber security, as well as programmers and other computer experts, can make perfect sense out of that "messy text", and it allows us to determine where the email is trying to re-direct you to, and what other malicious activity it might want to cause on your system.

      To paraphrase your last line... "If you don't know what you're talking about, you should probably keep quiet."

      Cancel reply

      Leave a Comment

  • How do I send an attachment of a spoofed email from my yahoo email app! I have no computer. I only have my iPhoneXR. In this case it’s a spoofed Walmart email in my yahoo app inbox.

    Cancel reply

    Leave a Comment

  • perfect for yahoo mail. Thank you

    Cancel reply

    Leave a Comment

  • Works perfectly for Yahoo mail. I wonder how much of learning and research you must have done to give solutions for different applications !!! Great work.

    Cancel reply

    Leave a Comment

Leave a Comment