Solved

Any concern about using an Outlook macro to display headers and body of suspect emails?

Posted on 2016-10-19
9
79 Views
Last Modified: 2016-10-20
Folks,

When I get a suspicious email, I use a macro to extract its body and main headers and display them in Notepad.

I always assumed that because I was processing text data this was a pretty safe thing to do. However, as I'm a babe in the woods concerning Outlook security weaknesses, I'd appreciate any expert advice as to how advisable my behaviour is.

I am using Outlook 2016 in Windows 8.1.

Many thanks,
Brian.
0
Comment
Question by:redmondb
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 41851104
I would disable macros altogether with mail. Macros are one of the main points how viruses get into your system via E-Mail, for example many of the ransomware uses that as one of the ways to get in.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 41851113
It is a difference if you disallow active content in mails - you do, of course - or use macros. Of course I use macros to do similar stuff (while building something much better for SPAM filtering), and there is nothing bad about that.

Notepad content cannot be active, and hence do any harm. There could be a flaw in the Niotepad implementation (or the graphics card driver), but noone will ever use that for malicious purposes as it just doesn't pay out without a broad base being vulnerable against it ;-).
0
 
LVL 62

Expert Comment

by:btan
ID: 41851281
Should default disable macro in Office, turn on in Exchange for inspection of active script email attachment and disable browser active scripting like use of NoScript plugin for Chrome and FF. Ransomware has been delivered by the those script based files which should have been filtered off from user client machine.

Best practice for finding executable content in transport rules for Exchange
https://blogs.technet.microsoft.com/eopfieldnotes/2014/10/14/best-practices-for-finding-executable-content/
0
 
LVL 26

Author Comment

by:redmondb
ID: 41851397
Thanks, folks.

Rindi
I'm running the macro to try to avoid executing anything in the email. Some security settings...
 - Attachment Preview is turned off.
 - "Notifications for digitally signed macros, all other macros disabled."
 - I don't use the reading pane.
 - I'm only automatically downloading images for whitelisted senders or Trusted Zone sites.

Qlemo
"while building something much better for SPAM filtering"
I'm all ears! Could you tell me more about this, please?
BTW, I'm pretty happy that, once the data has been extracted, simply pasting it into Notepad isn't a problem - it's processing the email to get the data in the first place that's my concern.

btan
I'm not using Exchange, instead all of my emails are coming via POP from GMail, Yahoo, etc.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 62

Expert Comment

by:btan
ID: 41851472
Webmail via browser cam consider use of NoScript https://noscript.net/features

Using it, as a whole via browser, yu will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you're just surfing randomly, or permanently, when you visit it often and you really trust it.

I am think most time it is spam or unknown sender that send phishing email carrying those malicious attachment or links. So maybe we can reduce by kicking out the spam as first cut. The other on execution control, we may want to leverage on Applocker for whitelisted appl or script to run though not foolproof. The use if SPF, DKIM and DMARC should mitigate those unsolicited email sender and domain.

You may want to check out Mailwasher

MailWasher retrieves information about all your email on the server. With that information (some of which is also processed by MailWasher), you can decide what to do with each individual email - download or delete.

If you check your accounts with MailWasher first, you can delete the email you do not want. Then, when you use your email program, it downloads only the remaining email, those that you want to read.
http://www.firetrust.com/products/mailwasher-pro/support/frequently-asked-questions#how-do-i-use-mailwasher-pro

Or SpamReader which support rules to identify prior opening to unsolicited mail
http://www.spam-reader.com/outlook-spam-blocker.shtml
0
 
LVL 26

Author Comment

by:redmondb
ID: 41851744
btan,

Thanks for the suggestions (I'm already using Norton Security and the number of accounts and emails means that using a browser instead of Outlook is not an option), but this question is about identifying issues with my current approach.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 41851793
Neither processing in VBA nor pasting/displaying in Notepad is a danger per se. Uncaptured buffer overflows can always be used to inject malicious stuff, but I don't know of any, and the effectivity of such an exploit is questionable, so a tailored attack is very unlikely.

The "building .. SPAM .." note is refering to one of the many commercial on-site SPAM filter products allowing the users to gain individual control over their setting, so nothing to tell much about :D.
0
 
LVL 62

Expert Comment

by:btan
ID: 41851838
Thanks. I see it safe with the notepad as long as it is not save with a file extension of those active script like below. It is not straightforward to run the exploit in that extracted form.

Executable rules: .exe, .com
Windows Installer rules: .msi, .msp
Scripts rules: .ps1, .bat, .cmd, .vbs, .js

As long as we do not open the attachment directly by double clicking as it associated with the default appl to run it, but instead open it with hex editor (not office) or a sandbox notepad editor via sandboxie it minimally help to mitigate the risk on any dropper file footprint infecting the host actual system files.

Just my cents
0
 
LVL 26

Author Comment

by:redmondb
ID: 41852124
Thanks, folks, that's my peace of mind restored.

I'm giving the solution to qlemo as his answers were most focused on my question. In addition, he also alerted me to the possibility of, presumably, "non-printable" characters upsetting Notepad. I'll change the macro to drop these.

Cheers.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now