Malicious email attachments fail to get extracted from the email log causing some files that are present in Phish emails to not get copied into security incidents - Known Error

Malicious email attachments fail to get extracted from the email log causing some files that are present in Phish emails to not get copied into security incidents Description If users report phishing to a specific mailbox, and this mailbox stores the original message and sends it to the ServiceNow instance using a forward as attachment (.msg file), the system will not copy it to the security incident if the reported file inside that msg attachment contains a special character.

Steps to Reproduce

1 - Attach a file with a special character to an email, i.e.: 📞_file.pdf. 2 - Use transfer as an attachment to report the email as phish email. It will be transferred to the instance as part of an .msg file. 3 - Check the security incident, there is no 📞_file.pdf on the observables.

Workaround This problem has been fixed in Security Incident Response v12.8.9. If you are able to upgrade, review the Fixed In section to determine the latest version with a permanent fix your instance can be upgraded to.

For a temporary workaround, try reporting the same email via "Report Phish Email", the phishing email created from this approach will contain all the attachments in .eml file: Left menu -> Security Incident -> Report Phish Email - > Attach the raw email and click on submit.