Add email.mailfrom.address to email fields #2351

mbudge · 2024-07-23T09:07:13Z

There is an ecs field for email.from.address which is the From field in the email header.

The mailfrom field in the smtp header is a field useful for detecting email spoofing.

Please add email.mailfrom.address to ecs. Also update the mimecast integration to extract the headerFrom field from the inbound Acc logs.

qcorporation · 2024-12-03T20:32:36Z

@mjwolf investigate if mailfrom is a standard smtp header.
find out all integration that can normalize to this field if we were to add this into ECS

mjwolf · 2024-12-07T23:09:28Z

MAIL FROM and RCPT TO are both fields of SMTP envelope from RFC 5321.

It's currently used in these integrations zeek, proofpoint_on_demand, cisco_secure_email_gateway, m365_defender, sublime_security.

Given this is a standard SMTP field, and used by multiple observability products, I think it makes sense to add this to ECS

mbudge added the enhancement New feature or request label Jul 23, 2024

qcorporation assigned mjwolf Dec 3, 2024

mjwolf linked a pull request Dec 7, 2024 that will close this issue

Add email SMTP envelope fields #2413

Open

Provide feedback