Skip to content

Open Outlook .msg Files on Linux: Convert to .eml with msgconvert

A user reports a suspicious mail, and what lands in your triage folder is a .msg file — dragged out of Outlook or exported by an admin. You want to look at the headers and body in VS Code or any editor on your analysis machine, but nothing can open it: .msg is a proprietary Microsoft OLE container, not a text format.

msgconvert solves this in one command. It converts .msg files to .eml — the standard RFC 822 format that every mail tool, editor, and analysis script understands.


Pre-requisites

  • A Debian- or Ubuntu-based analysis system — a dedicated VM, or WSL on a Windows workstation
  • sudo rights to install a package

Handle live samples with care

A user-reported phishing mail is potentially hostile input. Work on an isolated analysis VM, do not open embedded attachments, and do not follow links from the message body. Converting and reading the file as text is safe — executing its contents is not.


Step 1: Install msgconvert

The converter ships with the Perl library Email::Outlook::Message:

sudo apt-get install libemail-outlook-message-perl

apt resolves all required Perl dependencies (such as libemail-sender-perl) automatically.

Verify the tool is available:

msgconvert --help

Step 2: Convert the File

msgconvert suspicious-mail.msg

This writes suspicious-mail.eml next to the input file. The original .msg stays untouched. Multiple files work in one call:

msgconvert *.msg

One caveat from the manpage: msgconvert does not check whether the output file already exists — a second run silently overwrites, and two inputs differing only in case (Report.MSG vs report.msg) collide into one output file. In a triage folder with many samples, convert into a dedicated working directory.


Step 3: Analyse the .eml

The .eml file is plain text. Open it in any editor:

code suspicious-mail.eml

What you get:

  • Full header chain at the top — Received: hops (read bottom-up), Authentication-Results: with SPF/DKIM/DMARC verdicts, Return-Path, and the often-spoofed From:/Reply-To: pair.
  • Body parts as MIME sections — the HTML body in readable source form, so you can extract link targets without rendering anything.
  • Attachments as base64 blocks — visible and hashable without being executed.

Since .eml is the universal exchange format, the same file also feeds into analysis tooling (Thunderbird, mu, Python's email module, or an online header analyser) without further conversion.


Alternative: Deliver Into an mbox

For bulk triage it can be handier to collect everything into a single mailbox file and step through it with a mail client:

msgconvert --mbox triage.mbox *.msg