If the email is originally sent to the monitored mailbox then all works fine but if a mail is forwarded on for investigation from a user, then the original From field isn't pulled in as an observable (as it's in the header).
Looking at the code I've uncommented this line which does pull in all the observables from the header:
If the email is originally sent to the monitored mailbox then all works fine but if a mail is forwarded on for investigation from a user, then the original From field isn't pulled in as an observable (as it's in the header).
Looking at the code I've uncommented this line which does pull in all the observables from the header:
As this pulls in all observables from the header including internal IP's etc is there a better way to do this other than through whitelisting?