FEI 2.1.8 is out with a new integration, support for additional email formats, and major new features. Here is what’s new:
We have added VirusTotal to FEI’s API integrations for intelligence. When examining emails, you can click a button to trigger a VirusTotal scan of the email’s attachments—individually, or in bulk.
This brings back a list of data points including threat intel, known names in the wild, timestamps, etc. FEI displays this information as part of its Attachments View, and also uses it in Insights, scoring, and timelining.
Here is how the Timestamps View looks after the VirusTotal enrichment:
Note: There is something else wrong with this email other than its malicious payload. Do you see it?
You will notice that as part of the VirusTotal integration, we have also added capabilities to hash an email attachment, or hash all attachments of an email. This is so that FEI can perform the VirusTotal scan using the hash of the attachment rather than its contents.
If VirusTotal does not have a record of the attachment hash (i.e., the file was not previously submitted to VirusTotal), it is possible to have FEI upload the file’s contents to VirusTotal for analysis. Here is how that looks:
For safety, we put the upload functionality behind an integration option. If you turn off the VirusTotal upload functionality, the user interface to upload an attachment to VirusTotal will not be shown.
Apple Mail Support
FEI now supports ingesting and examining Apple Mail messages in EMLX and Partial EMLX formats. You can ingest such messages as part of an FEI project, or open them individually by dragging and dropping an EMLX message into FEI Viewer.
On the export side, there is now a new option called
Export EMLX Files as EMLs, which controls whether EMLX files should be exported as is, or in MIME format. This is especially important for Partial EMLX files—utilizing such files in other tools may not be possible unless they are reconstituted into a complete MIME message from their parts.
FEI Decoder Improvements
FEI Decoder makes it a breeze to convert virtually any timestamp into human-readable form. In addition to FEI’s MIME View, you can now trigger FEI Decoder from the text and html bodies of messages. Same functionality applies to decoding Base64-encoded text.
We have extended FEI’s domain intelligence to include DMARC records. The DMARC records are parsed and shown in a human-readable manner.
I am particularly excited about the new VirusTotal integration as well as EMLX support.
You can find the changelog below. The new version is available for download here when you are ready.