Open Outlook .msg Files on Linux: Convert to .eml with msgconvert
A user reports a suspicious mail, and what lands in your triage folder is a .msg
file — dragged out of Outlook or exported by an admin. You want to look at the
headers and body in VS Code or any editor on your analysis machine, but nothing
can open it: .msg is a proprietary Microsoft OLE container, not a text format.
msgconvert solves this in one command. It converts .msg files to .eml —
the standard RFC 822 format that every mail tool, editor, and analysis script
understands.
Pre-requisites
- A Debian- or Ubuntu-based analysis system — a dedicated VM, or WSL on a Windows workstation
sudorights to install a package
Handle live samples with care
A user-reported phishing mail is potentially hostile input. Work on an isolated analysis VM, do not open embedded attachments, and do not follow links from the message body. Converting and reading the file as text is safe — executing its contents is not.
Step 1: Install msgconvert
The converter ships with the Perl library Email::Outlook::Message:
apt resolves all required Perl dependencies (such as libemail-sender-perl)
automatically.
Verify the tool is available:
Step 2: Convert the File
This writes suspicious-mail.eml next to the input file. The original .msg
stays untouched. Multiple files work in one call:
One caveat from the manpage: msgconvert does not check whether the output
file already exists — a second run silently overwrites, and two inputs differing
only in case (Report.MSG vs report.msg) collide into one output file. In a
triage folder with many samples, convert into a dedicated working directory.
Step 3: Analyse the .eml
The .eml file is plain text. Open it in any editor:
What you get:
- Full header chain at the top —
Received:hops (read bottom-up),Authentication-Results:with SPF/DKIM/DMARC verdicts,Return-Path, and the often-spoofedFrom:/Reply-To:pair. - Body parts as MIME sections — the HTML body in readable source form, so you can extract link targets without rendering anything.
- Attachments as base64 blocks — visible and hashable without being executed.
Since .eml is the universal exchange format, the same file also feeds into
analysis tooling (Thunderbird, mu, Python's email module, or an online
header analyser) without further conversion.
Alternative: Deliver Into an mbox
For bulk triage it can be handier to collect everything into a single mailbox file and step through it with a mail client: