Take advantage of MS normalized URL field if available in email headers

[seanmcfeely]

In the process of modifying urlfinderlib to correctly normalize URLs by mapping bytes from the universal character set to ascii for IRI -> URL mapping according to https://tools.ietf.org/html/rfc3987#section-3.1 I noticed this field in email headers from o365:

X-MS-Exchange-Organization-Persisted-Urls-0: 
	[{"ID":1,"OU":"https:/\\link­edin.­com/redirect?url=REMOVED","IBT":false,"U":"https://linkedin.com/redirect?url=REMOVED","DNR":false,"IAR":false,"LI":{"TN":"a","IC":true,"BF":2,"SI":-1,"EndIndex":-1},"SRCI":1,"CannonicalizedUrl":null,"NormalizedUrl":"https://linkedin.com/redirect?url=REMOVED","DPD":{"UF":"256","OCH":"6062848974812180643","CNT":"1","SL":"1"},"PROC":[]}]

So when parsing email files, check for this field and for a value inside of the NormalizedUrl field and create a URL observable with the value.

[seanmcfeely]

I just saw that I apparently did this:

I will either knock this one out in the next week or two, or I will close it. I've only seen where it would have benefitted us twice, so it may be a waste of time considering that the same info can be pulled from the graph api.