STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Relationship Objects
Cyber-observable Objects
ArtifactAutonomous System (AS)DirectoryDomain NameEmail AddressEmail MessageFileIPv4 AddressIPv6 AddressMAC AddressMutexNetwork TrafficProcessSoftwareURLUser AccountWindows™ Registry Key ObjectX.509 Certificate
Meta Objects
Bundle Object
Cyber-observable Objects

Email Message

The Email Message object represents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs.

Header field values that have been encoded as described in section 2 of RFC2047 MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property.

TODO: Add Email MIME Component Type

Properties

Required Common Properties
typeid
Optional Common Properties
spec_versionobject_marking_refsgranular_markingsdefangedextensions
Not Applicable
created_by_refrevokedlabelsconfidencelangexternal_references
Email Message Specific
datecontent_typefrom_refsender_refto_refscc_refsbcc_refsmessage_idsubjectreceived_linesadditional_header_fieldsraw_email_ref
PropertyTypeDescription
typeoptional
stringThe value of this property MUST be `email-message`.
dateoptional
stringSpecifies the date/time that the email message was sent.
content_typeoptional
stringSpecifies the value of the 'Content-Type' header of the email message.
from_refoptional
stringSpecifies the value of the 'From:' header of the email message.
sender_refoptional
stringSpecifies the value of the 'From' field of the email message.
to_refsoptional
list of stringSpecifies the mailboxes that are 'To:' recipients of the email message.
cc_refsoptional
list of stringSpecifies the mailboxes that are 'CC:' recipients of the email message.
bcc_refsoptional
list of stringSpecifies the mailboxes that are 'BCC:' recipients of the email message.
message_idoptional
stringSpecifies the Message-ID field of the email message.
subjectoptional
stringSpecifies the subject of the email message.
received_linesoptional
list of stringSpecifies one or more Received header fields that may be included in the email headers.
additional_header_fieldsoptional
Specifies any other header fields found in the email message, as a dictionary.
raw_email_refoptional
stringSpecifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact Object.

Examples

Simple Email Message

[
  {
    "type": "email-message",
    "spec_version": "2.1",
    "id": "email-message--72b7698f-10c2-565a-a2a6-b4996a2f2265",
    "from_ref": "email-addr--89f52ea8-d6ef-51e9-8fce-6a29236436ed",
    "to_refs": ["email-addr--e4ee5301-b52d-59cd-a8fa-8036738c7194"],
    "is_multipart": false,
    "date": "1997-11-21T15:55:06.000Z",
    "subject": "Saying Hello"
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--89f52ea8-d6ef-51e9-8fce-6a29236436ed",
    "value": "jdoe@example.com",
    "display_name": "John Doe"
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--e4ee5301-b52d-59cd-a8fa-8036738c7194",
    "value": "mary@example.com",
    "display_name": "Mary Smith"
  }
]

Simple Email Message with Additional Header Properties

[
  {
    "type": "email-message",
    "spec_version": "2.1",
    "id": "email-message--0c57a381-2a17-5e61-8754-5ef96efb286c",
    "from_ref": "email-addr--9b7e29b3-fd8d-562e-b3f0-8fc8134f5dda",
    "to_refs": ["email-addr--d1b3bf0c-f02a-51a1-8102-11aba7959868"],
    "is_multipart": false,
    "date": "2004-04-19T12:22:23.000Z",
    "subject": "Did you see this?",
    "additional_header_fields": {
      "Reply-To": [
        "steve@example.com",
        "jane@example.com"
      ]
    }
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--9b7e29b3-fd8d-562e-b3f0-8fc8134f5dda",
    "value": "joe@example.com",
    "display_name": "Joe Smith"
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--d1b3bf0c-f02a-51a1-8102-11aba7959868",
    "value": "bob@example.com",
    "display_name": "Bob Smith"
  }
]

Complex MIME Email Message

[
  {
    "type": "email-message",
    "spec_version": "2.1",
    "id": "email-message--cf9b4b7f-14c8-5955-8065-020e0316b559",
    "is_multipart": true,
    "received_lines": [
      "from mail.example.com ([198.51.100.3]) by smtp.gmail.com with ESMTPSA id q23sm23309939wme.17.2016.07.19.07.20.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jul 2016 07:20:40 -0700 (PDT)"
    ],
    "content_type": "multipart/mixed",
    "date": "2016-06-19T14:20:40.000Z",
    "from_ref": "email-addr--89f52ea8-d6ef-51e9-8fce-6a29236436ed",
    "to_refs": ["email-addr--d1b3bf0c-f02a-51a1-8102-11aba7959868"],
    "cc_refs": ["email-addr--e4ee5301-b52d-59cd-a8fa-8036738c7194"],
    "subject": "Check out this picture of a cat!",
    "additional_header_fields": {
      "Content-Disposition": "inline",
      "X-Mailer": "Mutt/1.5.23",
      "X-Originating-IP": "198.51.100.3"
    },
    "body_multipart": [
      {
        "content_type": "text/plain; charset=utf-8",
        "content_disposition": "inline",
        "body": "Cats are funny!"
      },
      {
        "content_type": "image/png",
        "content_disposition": "attachment; filename=\"tabby.png\"",
        "body_raw_ref": "artifact--4cce66f8-6eaa-53cb-85d5-3a85fca3a6c5"
      },
      {
        "content_type": "application/zip",
        "content_disposition": "attachment; filename=\"tabby_pics.zip\"",
        "body_raw_ref": "file--6ce09d9c-0ad3-5ebf-900c-e3cb288955b5"
      }
    ]
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--89f52ea8-d6ef-51e9-8fce-6a29236436ed",
    "value": "jdoe@example.com",
    "display_name": "John Doe"
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--d1b3bf0c-f02a-51a1-8102-11aba7959868",
    "value": "bob@example.com",
    "display_name": "Bob Smith"
  },
  {
    "type": "email-addr",
    "spec_version": "2.1",
    "id": "email-addr--e4ee5301-b52d-59cd-a8fa-8036738c7194",
    "value": "mary@example.com",
    "display_name": "Mary Smith"
  },
  {
    "type": "artifact",
    "spec_version": "2.1",
    "id": "artifact--4cce66f8-6eaa-53cb-85d5-3a85fca3a6c5",
    "mime_type": "image/jpeg",
    "payload_bin": "VBORw0KGgoAAAANSUhEUgAAADI== ...",
    "hashes": {
      "SHA-256": "effb46bba03f6c8aea5c653f9cf984f170dcdd3bbbe2ff6843c3e5da0e698766"
    }
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--6ce09d9c-0ad3-5ebf-900c-e3cb288955b5",
    "name": "tabby_pics.zip",
    "magic_number_hex": "504B0304",
    "hashes": {
      "SHA-256": "fe90a7e910cb3a4739bed9180e807e93fa70c90f25a8915476f5e4bfbac681db"
    }
  },
]

Email Address

Previous Page

File

Next Page

On this page

PropertiesExamplesSimple Email MessageSimple Email Message with Additional Header PropertiesComplex MIME Email Message