Solved

Any concern about using an Outlook macro to display headers and body of suspect emails?

Posted on 2016-10-19
9
56 Views
Last Modified: 2016-10-20
Folks,

When I get a suspicious email, I use a macro to extract its body and main headers and display them in Notepad.

I always assumed that because I was processing text data this was a pretty safe thing to do. However, as I'm a babe in the woods concerning Outlook security weaknesses, I'd appreciate any expert advice as to how advisable my behaviour is.

I am using Outlook 2016 in Windows 8.1.

Many thanks,
Brian.
0
Comment
Question by:redmondb
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 87

Expert Comment

by:rindi
Comment Utility
I would disable macros altogether with mail. Macros are one of the main points how viruses get into your system via E-Mail, for example many of the ransomware uses that as one of the ways to get in.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
It is a difference if you disallow active content in mails - you do, of course - or use macros. Of course I use macros to do similar stuff (while building something much better for SPAM filtering), and there is nothing bad about that.

Notepad content cannot be active, and hence do any harm. There could be a flaw in the Niotepad implementation (or the graphics card driver), but noone will ever use that for malicious purposes as it just doesn't pay out without a broad base being vulnerable against it ;-).
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Should default disable macro in Office, turn on in Exchange for inspection of active script email attachment and disable browser active scripting like use of NoScript plugin for Chrome and FF. Ransomware has been delivered by the those script based files which should have been filtered off from user client machine.

Best practice for finding executable content in transport rules for Exchange
https://blogs.technet.microsoft.com/eopfieldnotes/2014/10/14/best-practices-for-finding-executable-content/
0
 
LVL 26

Author Comment

by:redmondb
Comment Utility
Thanks, folks.

Rindi
I'm running the macro to try to avoid executing anything in the email. Some security settings...
 - Attachment Preview is turned off.
 - "Notifications for digitally signed macros, all other macros disabled."
 - I don't use the reading pane.
 - I'm only automatically downloading images for whitelisted senders or Trusted Zone sites.

Qlemo
"while building something much better for SPAM filtering"
I'm all ears! Could you tell me more about this, please?
BTW, I'm pretty happy that, once the data has been extracted, simply pasting it into Notepad isn't a problem - it's processing the email to get the data in the first place that's my concern.

btan
I'm not using Exchange, instead all of my emails are coming via POP from GMail, Yahoo, etc.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 61

Expert Comment

by:btan
Comment Utility
Webmail via browser cam consider use of NoScript https://noscript.net/features

Using it, as a whole via browser, yu will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you're just surfing randomly, or permanently, when you visit it often and you really trust it.

I am think most time it is spam or unknown sender that send phishing email carrying those malicious attachment or links. So maybe we can reduce by kicking out the spam as first cut. The other on execution control, we may want to leverage on Applocker for whitelisted appl or script to run though not foolproof. The use if SPF, DKIM and DMARC should mitigate those unsolicited email sender and domain.

You may want to check out Mailwasher

MailWasher retrieves information about all your email on the server. With that information (some of which is also processed by MailWasher), you can decide what to do with each individual email - download or delete.

If you check your accounts with MailWasher first, you can delete the email you do not want. Then, when you use your email program, it downloads only the remaining email, those that you want to read.
http://www.firetrust.com/products/mailwasher-pro/support/frequently-asked-questions#how-do-i-use-mailwasher-pro

Or SpamReader which support rules to identify prior opening to unsolicited mail
http://www.spam-reader.com/outlook-spam-blocker.shtml
0
 
LVL 26

Author Comment

by:redmondb
Comment Utility
btan,

Thanks for the suggestions (I'm already using Norton Security and the number of accounts and emails means that using a browser instead of Outlook is not an option), but this question is about identifying issues with my current approach.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
Comment Utility
Neither processing in VBA nor pasting/displaying in Notepad is a danger per se. Uncaptured buffer overflows can always be used to inject malicious stuff, but I don't know of any, and the effectivity of such an exploit is questionable, so a tailored attack is very unlikely.

The "building .. SPAM .." note is refering to one of the many commercial on-site SPAM filter products allowing the users to gain individual control over their setting, so nothing to tell much about :D.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Thanks. I see it safe with the notepad as long as it is not save with a file extension of those active script like below. It is not straightforward to run the exploit in that extracted form.

Executable rules: .exe, .com
Windows Installer rules: .msi, .msp
Scripts rules: .ps1, .bat, .cmd, .vbs, .js

As long as we do not open the attachment directly by double clicking as it associated with the default appl to run it, but instead open it with hex editor (not office) or a sandbox notepad editor via sandboxie it minimally help to mitigate the risk on any dropper file footprint infecting the host actual system files.

Just my cents
0
 
LVL 26

Author Comment

by:redmondb
Comment Utility
Thanks, folks, that's my peace of mind restored.

I'm giving the solution to qlemo as his answers were most focused on my question. In addition, he also alerted me to the possibility of, presumably, "non-printable" characters upsetting Notepad. I'll change the macro to drop these.

Cheers.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you don't know how to downgrade, my instructions below should be helpful.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now