diff --git a/mail_to_misp.py b/mail_to_misp.py
index 2092860..5c3aefe 100755
--- a/mail_to_misp.py
+++ b/mail_to_misp.py
@@ -133,6 +133,7 @@ misp_key = config.misp_key
 misp_verifycert = config.misp_verifycert
 m2m_key = config.m2m_key
 m2m_auto_distribution = config.m2m_auto_distribution
+m2m_attachment_keyword = config.m2m_attachment_keyword
 
 resolver = dns.resolver.Resolver(configure=False)
 resolver.nameservers = config.nameservers
@@ -332,9 +333,12 @@ if stdin_used:
             if debug:
                 syslog.syslog(str(attachment)[:200])
             event_id = misp_event.id
-            misp.upload_sample(filename, output_path, event_id, distribution=5, to_ids=True)
-            file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
-            sight(sighting, file_hash)
+            if m2m_attachment_keyword in email_data:
+                misp.add_attachment(misp_event, output_path, filename=filename, category="External analysis")
+            else:
+                misp.upload_sample(filename, output_path, event_id, distribution=5, to_ids=True)
+                file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
+                sight(sighting, file_hash)
 
 if auto_publish:
     misp.publish(misp_event, alert=False)
diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example
index 49c3325..aa44b45 100644
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@@ -8,6 +8,7 @@ misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web inte
 misp_verifycert = True
 m2m_key = 'YOUSETYOURKEYHERE'
 m2m_auto_distribution = '3' # 3 = All communities
+m2m_attachment_keyword = 'attachment:benign'
 
 debug = False
 nameservers = ['149.13.33.69']