Commit 0b256bd3 authored by Rémi PAILHAREY's avatar Rémi PAILHAREY
Browse files

feat: Extract IOC + CyberSignal cases query

parent 61e0012c
......@@ -34,9 +34,6 @@ User -> "Outlook" : Inspect suspicious email
TODO: Rechercher si un case existe déjà dans TheHive
TODO: Vérifier la conf nginx pour Cuckoo
TODO: Faire un mock de l'api Cuckoo
TODO: Retourner une erreur dans cuckoo.SendGetSummaryReport() quand le rapport n'est pas dispo
TODO: Demander ou ça en est pour la création du mail (medium)
TODO: Mettre le vrai mail (medium)
TODO: Créer un vrai message pour le mail (low)
TODO: Faire de la documentation (low) -> refaire PlantUML en mettant pour chaque étape quels blocs de code sont sollicités
......
......@@ -137,3 +137,13 @@ func BoolValueFromEnv(ev string, def bool) bool {
}
return v
}
// StringInSlice checks if a string element is in a string array
func StringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
return true
}
}
return false
}
......@@ -3,6 +3,7 @@ package cuckoo
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
......@@ -11,6 +12,7 @@ import (
"net/http"
"os"
"regexp"
"strings"
"forge.grandlyon.com/rpailharey/cyber-signal/internal/common"
)
......@@ -26,7 +28,8 @@ type UploadResponse struct {
}
// Uploads a file to Cuckoo and requests an analysis
func SendPostRequestMultipart(url string, filename string) int {
func SendPostRequestMultipart(filename string) int {
url := cuckooURL + "/tasks/create/file"
client := &http.Client{}
req, err := NewfileUploadRequest(url, nil, "file", filename)
if err != nil {
......@@ -55,7 +58,7 @@ func SendPostRequestMultipart(url string, filename string) int {
}
// Get the analysis' report
func SendGetSummaryReport(taskid int) (string, error) {
func SendGetSummaryReport(taskid int) ([]byte, error) {
url := fmt.Sprintf("%s/tasks/summary/%d", cuckooURL, taskid)
fmt.Println(url)
......@@ -70,36 +73,46 @@ func SendGetSummaryReport(taskid int) (string, error) {
log.Fatal(err)
}
type StringsResponse struct {
Strings []string `json:"strings"`
if resp.StatusCode != http.StatusOK {
return nil, errors.New("Report couldn't be fetched")
}
content, err := ioutil.ReadAll(resp.Body)
return content, nil
}
func ExtractIOC(report []byte) (senderEmail string, subject string, urls []string, sha1 string, md5 string, err error) {
type StringsResponse struct {
Strings []string `json:"strings"`
}
var stringsResponse StringsResponse
err = json.Unmarshal(content, &stringsResponse)
err = json.Unmarshal(report, &stringsResponse)
if err != nil {
log.Fatal(err)
}
var expediteur string
var subject string
for _, s := range stringsResponse.Strings {
rExp := regexp.MustCompile(`From:.*<(.*)>`)
rSub := regexp.MustCompile(`Subject: (.*)`)
rUrl := regexp.MustCompile(`(?:http(s)?:\/\/)?[\w.-]+(?:\.[\w\.-]+)$`)
resExp := rExp.FindStringSubmatch(s)
if len(resExp) != 0 {
expediteur = resExp[1]
if len(resExp) >= 2 {
senderEmail = resExp[1]
}
resSub := rSub.FindStringSubmatch(s)
if len(resSub) != 0 {
subject = resSub[1]
if len(resSub) >= 2 {
subject = strings.ReplaceAll(strings.TrimRight(strings.SplitN(resSub[1], "_", 2)[1], "?="), "_", " ")
}
resUrl := rUrl.FindStringSubmatch(s)
if len(resUrl) != 0 && !common.StringInSlice(resUrl[0], urls) {
urls = append(urls, resUrl[0])
}
}
fmt.Println(expediteur)
fmt.Println(subject)
type TargetResponse struct {
Target struct {
......@@ -114,19 +127,12 @@ func SendGetSummaryReport(taskid int) (string, error) {
}
var targetResponse TargetResponse
err = json.Unmarshal(content, &targetResponse)
err = json.Unmarshal(report, &targetResponse)
if err != nil {
log.Fatal(err)
}
fmt.Println(targetResponse.Target.File.Sha1)
for _, s := range targetResponse.Target.File.Urls {
fmt.Println(s)
}
return string(content), nil
return senderEmail, subject, targetResponse.Target.File.Urls, targetResponse.Target.File.Sha1, targetResponse.Target.File.Md5, nil
}
// Creates a new file upload http request with optional extra params
......
......@@ -16,8 +16,6 @@ import (
var (
cybersignalAuthToken string
cuckooURL string
cuckooAuthToken string
)
func Init(keyfile string) {
......@@ -37,50 +35,60 @@ func Init(keyfile string) {
}
log.Println("Authorization token set")
cybersignalAuthToken = string(tokenConfig.Token)
cuckooURL = common.StringValueFromEnv("CUCKOO_URL", "")
cuckooAuthToken = common.StringValueFromEnv("CUCKOO_AUTH_TOKEN", "")
}
// HandleUpload is a function allowing to analyze a file with Cuckoo and save the incident in TheHive.
func HandleUpload(w http.ResponseWriter, r *http.Request) {
// TempFile allows you to create a new temp file in the /tmp directory
file, errTemp := ioutil.TempFile("", "mail*.msg")
if errTemp != nil {
panic(errTemp)
}
// Copy the received file locally
io.Copy(file, r.Body)
file.Close()
taskid := cuckoo.SendPostRequestMultipart(cuckooURL+"/tasks/create/file", file.Name())
log.Println(taskid)
func HandleUpload() http.Handler {
handleUpload := func(w http.ResponseWriter, r *http.Request) {
// TempFile allows you to create a new temp file in the /tmp directory
file, errTemp := ioutil.TempFile("", "mail*.msg")
if errTemp != nil {
panic(errTemp)
}
// Copy the received file locally
io.Copy(file, r.Body)
file.Close()
taskid := cuckoo.SendPostRequestMultipart(file.Name())
log.Println(taskid)
// Try to get the report every 30 seconds
// TODO: Return an error when the report is not available yet
var report string
var err error
for {
time.Sleep(30 * time.Second)
report, err = cuckoo.SendGetSummaryReport(taskid)
if err == nil {
break
// Try to get the report every 30 seconds
var report []byte
var err error
for {
time.Sleep(30 * time.Second)
report, err = cuckoo.SendGetSummaryReport(taskid)
if err == nil {
break
}
}
}
fmt.Println(report)
fmt.Println(report)
// Create a new case
tags := []string{"Cyber-Signal"}
caseCreated, err := thehive.SendPostCreateCase("Test", "Test Cyber-Signal", 1, 1, nil, tags, false)
if err != nil {
log.Fatal(err)
senderEmail, subject, urls, sha1, md5, err := cuckoo.ExtractIOC(report)
if err != nil {
log.Fatal(err)
}
log.Println("Expéditeur : " + senderEmail)
log.Println("Objet : " + subject)
log.Println(urls)
log.Println(sha1)
log.Println(md5)
// Create a new case
tags := []string{"Cyber-Signal"}
caseCreated, err := thehive.SendPostCreateCase("Test", "Test Cyber-Signal", 1, 1, nil, tags, false)
if err != nil {
log.Fatal(err)
}
fmt.Println(caseCreated)
mail.SendMail()
}
fmt.Println(caseCreated)
mail.SendMail()
return http.HandlerFunc(handleUpload)
}
// ValidateAuthMiddleware checks if the request contains the correct token to use Cyber-Signal
// TODO: Use this middleware in he rootmux
func ValidateAuthMiddleware(next http.Handler) http.Handler {
tokenChecker := func(w http.ResponseWriter, r *http.Request) {
authToken := r.Header.Get("Authorization")
......
package cybersignal
import (
"net/http"
"net/http/cookiejar"
"net/http/httptest"
"net/url"
"testing"
"forge.grandlyon.com/rpailharey/cyber-signal/internal/cuckoo"
"forge.grandlyon.com/rpailharey/cyber-signal/internal/mocks"
"forge.grandlyon.com/rpailharey/cyber-signal/internal/tester"
)
var (
noH map[string]string
)
func TestAll(t *testing.T) {
tsCuckoo, doCuckoo := createCuckooTester(t)
defer tsCuckoo.Close()
report := doCuckoo("GET", "/tasks/summary/1", noH, "", http.StatusOK, "")
senderEmail, subject, urls, sha1, md5, err := cuckoo.ExtractIOC([]byte(report))
tester.AssertEqual(t, err, nil)
tester.AssertEqual(t, senderEmail, "asp18@invitations.mailinblack.com")
tester.AssertEqual(t, subject, "RE: Vos codes pour l'acc=C3=A8s au site www.astredhor.fr")
tester.AssertStringArrayEqual(t, urls, []string{"www.astredhor.fr"})
tester.AssertEqual(t, sha1, "f77b584e202b6d7ec8fff9238783fa6e8df07fe6")
tester.AssertEqual(t, md5, "690cedf5b04ce05eb647cd7672c63cd1")
}
func createCuckooTester(t *testing.T) (*httptest.Server, func(method string, route string, headers map[string]string, payload string, expectedStatus int, expectedBody string) string) {
// Create the server
mux := mocks.CreateMockCuckooAPI()
ts := httptest.NewServer(mux)
url, _ := url.Parse(ts.URL)
port := url.Port()
// Create the cookie jar
jar, _ := cookiejar.New(nil)
// wrap the testing function
return ts, tester.CreateServerTester(t, "localhost", port, jar)
}
func createTheHiveTester(t *testing.T) (*httptest.Server, func(method string, route string, headers map[string]string, payload string, expectedStatus int, expectedBody string) string) {
// Create the server
mux := mocks.CreateMockTheHiveAPI()
ts := httptest.NewServer(mux)
url, _ := url.Parse(ts.URL)
port := url.Port()
// Create the cookie jar
jar, _ := cookiejar.New(nil)
// wrap the testing function
return ts, tester.CreateServerTester(t, "localhost", port, jar)
}
......@@ -68,6 +68,367 @@ func CreateMockTheHiveAPI() *http.ServeMux {
func CreateMockCuckooAPI() *http.ServeMux {
mux := http.NewServeMux()
// TODO: Cuckoo API mock
mux.HandleFunc("/tasks/create/file", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{
"task_id":1
}`))
})
mux.HandleFunc("/tasks/summary/1", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`
{
"strings":[
"##]h2G",
"cgadoulet@grandlyon.com",
"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
"/O=METROPOLE DE LYON/OU=EXCHANGE ADM_",
"INISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"/O=METROPOLE DE LYON/OU=EXCHANGE ADM_",
"INISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"EX:/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBO_",
"HF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"EX:/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
"rcpg125",
"Chtml1",
"g96 \"<",
"0#@cell",
"P at: n",
"dth:100",
"%\">}!s",
"+O,Q)7)'5",
"\"3)\u001f*/0",
"$\u001f%/&?'O",
"(cM 67O@9",
"1S_To[\u001fWOX_=",
"o-5LA/@+h",
"QQrcM ",
"c949b037",
"1eY 9c7b",
"f1Qp{H",
"YPERLINK",
"ue. LD",
" _ 2sD",
"STREDHORr,",
"jNGY2OTk",
" Y7dHV",
"mNvbTtGU",
"xSWhzUE'",
"82Td05dG",
"d QlJ$@0k9",
",E02,0)",
"RQ#nA0#!",
"?/@?AO",
"BAUDUi",
",?-O._/o5",
"REDHOR",
":\u001f;/<?=O",
"2Y\"/td",
"rDtbody",
"x/y?zOdnj",
"p-top:2",
"<img/e",
"\\cf1\\ul",
"u@ widthZ",
"#?]/^?&?\u001f",
";/<?=O>_D/J",
"qBOC_(",
"66c93- 69f2-)",
"cdP-98b\\",
"ph0a5b",
"GOH_Io",
"*O+_,c8",
" p tchaC",
"ODIwYjE2",
"MTMyZDBl",
"OTAxNjNm",
"5YmY7Y2d",
"Hlvbi5jbA,",
"1SUtKSHh",
"3THBIRWg",
"zMks4bk",
"YvM2RZP",
"rg@b(255,",
"$?%O&_'o",
"({ASTREDH",
"-?.O/_2",
"MOB\u001fC/D?EOF_Go",
"R\u001fS/T?",
"l_moc5",
"i/j?kO",
"v.a~u\u001fwon",
"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USERDC5E740E",
"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
"/o=Metropole de Lyon/ou=Exchange Adm_",
"inistrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6fb35904bfba4dcaa5db20d40441783c-IHN742",
"/o=Metropole de Lyon/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6fb35904bfba4dcaa5db20d40441783c-IHN742",
"EX:/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"/o=Metropole de Lyon/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6fb35904bfba4dcaa5db20d40441783c-IHN742",
"Root Entry",
"__nameid_version1.0",
"__substg1.0_00020102",
"__substg1.0_00030102",
"ConversationIndexTrackingEx",
"DetectedLanguageJ",
"x-ms-exchange-organization-authsource",
"LatestMessageWordCount",
"IsSigned",
"IsRe__substg1.0_00040102",
"__substg1.0_100D0102",
"__substg1.0_100E0102",
"__substg1.0_10120102",
"adReceipt",
"__substg1.0_10140102",
"__substg1.0_10150102",
"__substg1.0_10170102",
"__substg1.0_10190102",
"__substg1.0_101C0102",
"__substg1.0_001A001F",
"__substg1.0_002C0102",
"__substg1.0_0037001F",
"IPM.Note",
"Re: RE: Vos codes pour l'acc",
"s au site www.astredhor.fr",
"__substg1.0_003B0102",
"__substg1.0_003D001F",
"__substg1.0_003F0102",
"__substg1.0_0040001F",
"Claudine GADOULET",
"Quentin BAUDUIN",
"asp18@invitations.mailinblack.com",
"Quentin BAUDUIN",
"__substg1.0_00410102",
"__substg1.0_0042001F",
"__substg1.0_00430102",
"__substg1.0_0044001F",
"Claudine GADOULET",
"cgadoulet@grandlyon.com",
"asp18@invitations.mailinblack.com",
"cgadoulet@grandlyon.com",
"__substg1.0_004C0102",
"__substg1.0_004D001F",
"__substg1.0_00510102",
"__substg1.0_00520102",
"asp18@invitations.mailinblack.co__substg1.0_00560102",
"__substg1.0_0064001F",
"__substg1.0_0065001F",
"__substg1.0_0070001F",
"RE: Vos codes pour l'acc",
"s au site www.astredhor.fr",
"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB3590__substg1.0_00710102",
"__substg1.0_0075001F",
"__substg1.0_0076001F",
"__substg1.0_0077001F",
"4BFBA4DCAA5DB20D40441783C-IHN742EX",
"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742SMTP",
"asp18@invitations.mailinblack.co__substg1.0_0078001F",
"__substg1.0_0079001F",
"__substg1.0_007A001F",
"__substg1.0_007D001F",
"Quentin BAUDUIN",
"asp18@invitations.mailinblack.com",
"Quentin BAUDUIN",
"asp18@invitations.mailinblack.coReceived: from NTHCM783.oscar.gly (10.130.12.52) by NTHCM782.oscar.gly",
" (10.130.12.51) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox",
" Transport; Mon, 12 Oct 2020 12:54:17 +0200",
"Received: from NTCTI783.oscar.gly (10.130.12.48) by NTHCM783.oscar.gly",
" (10.130.12.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 12 Oct",
" 2020 12:54:17 +0200",
"Received: from fx409.security-mail.net (192.168.246.54) by NTCTI783.oscar.gly",
" (10.130.12.48) with Microsoft SMTP Server id 15.0.1497.2 via Frontend",
" Transport; Mon, 12 Oct 2020 12:54:17 +0200",
"X-HUMAIL-SINGLE-LINK: true",
"X-Quarantine-ID: <MDuqC4Zuw13I>",
"X-Virus-Scanned: E-securemail",
"X-Spam-Status: No, score=1.812 tagged_above=-1000 required=5",
"tests=[AB_FROM_WITH_NUMERIC_END_2=0.5, AB_LONG_SUBJ_30=0.001,",
"BO_HUMAIL_SINGLE_LINK=0.0001, DKIM_SIGNED=0.1, DKIM_VALID=-1,",
"FAKE_REPLY_SURE_A=1, FAKE_REPLY_SURE_B=1, FSL_HTML_BLOCK_LOTS_1=0.01,",
"FSL_HTML_BLOCK_LOTS_2=0.01, FSL_HTML_BLOCK_LOTS_3=0.01,",
"FSL_HTML_ENT_LOTS_1=0.01, FSL_HTML_ENT_LOTS_2=0.01,",
"FSL_HTML_ENT_LOTS_3=0.01, FSL_RCVD_EX_3=0.01, FSL_RCVD_UT_3=0.01,",
"HTML_MESSAGE=0.001, MISSING_MID=0.14, T_RP_MATCHES_RCVD=-0.01]",
"autolearn=disabled",
"Authentication-Results: fx409.security-mail.net (amavisd-new);",
"dkim=pass (1024-bit key) header.d=mailinblack.com",
"Secumail-id: <4596.5f8435b8.7d886.0>",
"Received: from da4-mrs.mailinblack.com (da4-mrs.mailinblack.com [185.209.208.14])",
"by fx409.security-mail.net (Postfix) with ESMTPS id 637148A2B2D",
"for <cgadoulet@grandlyon.com>; Mon, 12 Oct 2020 12:53:44 +0200 (CEST)",
"Received: from asp18.mailinblack.com (ip-160.49.mrs.mailinblack.com [192.168.160.49])",
"by da4-mrs.mailinblack.com (Postfix) with ESMTP id 425411402EB",
"for <cgadoulet@grandlyon.com>; Mon, 12 Oct 2020 12:53:44 +0200 (CEST)",
"DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailinblack.com;",
"s=invitations; t=1602500024;",
"bh=3a0CQzWWuacTNtecfxJr8ctFcesyNRiaviQ1hd82ahA=;",
"h=From:To:Subject:Date:From;",
"b=oFNf2Lyb9CbZ1fdTGQHqpgA0nFr51pN//KQWLxNVmZ8uxxHxbg60cU+JjxNxJt0vX",
" 1stkueMTEAlOaFfY6/oDVWAMTFvNKiy7y6+fhnQzZSqBBNJ2nhtrYmzrd8swWCW1xl",
" 4Wb1KiScNgl+CdD8QTmdX5JWNhOKl3zwb9PmTMXM=",
"Received: from 127.0.0.1 (localhost [127.0.0.1])",
"by asp18.mailinblack.com (Postfix) with ESMTP id 3D93510B809",
"for <cgadoulet@grandlyon.com>; Mon, 12 Oct 2020 12:53:44 +0200 (CEST)",
"From: Quentin BAUDUIN <asp18@invitations.mailinblack.com>",
"To: cgadoulet@grandlyon.com",
"Message-ID: <451182687.14562.1602500023399.JavaMail.root@asp18.mailinblack.com>",
"Subject: =?UTF-8?Q?Re:_RE:_Vos_codes_pour_l'acc=C3=A8s_au_site_www.astredhor.fr?=",
"MIME-Version: 1.0",
"Content-Type: multipart/mixed;",
"boundary=\"----=_Part_14560_248524585.1602500023399\"",
"X-MIB: 0jze9djKvVI0JfgM5GillodAvPM=",
"Date: Mon, 12 Oct 2020 10:53:38 +0000",
"X-Virus-Scanned: by Secumail",
"Return-Path: asp18@invitations.mailinblack.com",
"X-MS-Exchange-Organization-Network-Message-Id: f5094e1e-7a53-49f2-ce86-08d86e9d2aa3",
"X-MS-Exchange-Organization-AuthSource: NTCTI783.oscar.gly",
"X-MS-Exchange-Organization-AuthAs: Anonymous",
"__substg1.0_0C190102",
"__substg1.0_0C1A001F",
"__substg1.0_0C1D0102",
"__substg1.0_0C1E001F",
"__substg1.0_0C1F001F",
"__substg1.0_0E02001F",
"__substg1.0_0E03001F",
"__substg1.0_0E04001F",
"Claudine GADOULET",
"RE: Vos codes pour l'acc",
"s au site www.astredhor.fr",
"__substg1.0_0E4B0102",
"__substg1.0_0E580102",
"__substg1.0_0F030102",
"__substg1.0_1000001F",
"__substg1.0_10090102",
"__substg1.0_1015001F",
"__substg1.0_1035001F",
"linblack.com/upload/imageRoot/1c949b0371e649c7b527e666b31edd55/Nouveau%20logo%20Astredhor(3).jpg>",
" Bonjour,",
"Vous venez de m'envoyer un message mais votre adresse email m'est pour le moment inconnue. L'antispam Mailinblack utilis",
" par ASTREDHOR, l'Institut technique de l'horticulture, a ainsi temporairement bloqu",
" votre email. Il ne m'est donc pas encore parvenu.",
"Afin de d",
"livrer votre message, je vous invite ",
" cliquer sur ce lien<http://asp18.mailinblack.com> et ",
" saisir les quelques lettres et chiffres demand",
"s. Ceci validera votre adresse et le message me parviendra. Notez qu' ",
" votre prochain envoi d'email, vous serez alors directement reconnu et vous n'aurez plus ",
" recommencer cette ",
"Vous en remerciant par avance.",
"Bien cordialement,",
"Quentin BAUDUIN",
"ASTREDHOR",
" <http://asp18.mailinblack.com/images/line.jpg>",
" Every new contact matters to",
"Quentin BAUDUIN and ASTREDHOR !",
" <http://asp18.mailinblack.com/upload/1f466c93-69f2-48cd-98bd-7dd4f77caa5b>",
" Hello,",
"I woud like to invite you to join my network of trusted contacts.",
"Click on this link<http://asp18.mailinblack.com/captchaCom/captcha.jsp?id=NDAyODIwYjE2MTMyZDBlOTAxNjNmNDYxNzE4MzE5YmY7Y2dhZG91bGV0QGdyYW5kbHlvbi5jb207RU47MTN1SUtKSHh3THBIRWgzMks4bk5jTHYvM2RZPQ==&loc=en> to ensure the delivery of your message and to benefit from all the advantages of being part of my network.",
"Kind regards.",
"Quentin BAUDUIN",
"ASTREDHOR",
"89EAE165E252DE449C21229F317C714F@grandlyon.com",
"<451182687.14562.1602500023399.JavaMail.root@asp18.mailinblack.com>",
"__substg1.0_300B0102",
"__substg1.0_30140102",
"__substg1.0_3FF8001F",
"__substg1.0_3FF90102",
"Contact Informatique de la M",
"tropole",
"cgadoulet@grandlyon.com",
"__substg1.0_3FFA001F",
"__substg1.0_4022001F",
"__substg1.0_4023001F",
"__substg1.0_4024001F",
"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USERDC5E740E",
"asp18@invitations.mailinblack.com",
"__substg1.0_4025001F",
"__substg1.0_4030001F",
"__substg1.0_4031001F",
"__substg1.0_4034001F",
"Quentin BAUDUIN",
"Quentin BAUDUIN",
"6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
"Contact Informatique de la M",
"tropole",
"__substg1.0_4035001F",
"__substg1.0_4038001F",
"__substg1.0_4039001F",
"__substg1.0_405E001F",
"Quentin BAUDUIN",
"Quentin BAUDUIN",
"Quentin BAUDUIN",
"asp18@invitations.mailinblack.com",
"asp18@invitations.mailinblack.com",
"__substg1.0_4060001F",
"__substg1.0_40610102",
"__substg1.0_5D01001F",
"__substg1.0_5D02001F",
"__substg1.0_5D06001F",
"__substg1.0_5D07001F",
"__substg1.0_5D08001F",
"__substg1.0_8001001F",
"asp18@invitations.mailinblack.com",
"cgadoulet@grandlyon.com",
"cgadoulet@grandlyon.com",
"BT=0;II=<invalid>;SBT=230;THA=3701817737;FIXUP=233,5707;Version=Version 15.0 (Build 1497.0), Stage=H8",
"__substg1.0_8002001F",
"__substg1.0_8003001F",
"__substg1.0_8007001F",
"__substg1.0_8008001F",
"NTCTI783.oscar.gly",
"ext.dcs.nschwartzmann@grandlyon.com",
"00000002",
"fc86073d-9b2d-43b8-af8a-d9e9d69f36aa@grandlyon.com/o=Metropole de Lyon/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6819bd85d5454336abcda3403f398314-PJX333",
<