Any concern about using an Outlook macro to display headers and body of suspect emails?

Folks,

When I get a suspicious email, I use a macro to extract its body and main headers and display them in Notepad.

I always assumed that because I was processing text data this was a pretty safe thing to do. However, as I'm a babe in the woods concerning Outlook security weaknesses, I'd appreciate any expert advice as to how advisable my behaviour is.

I am using Outlook 2016 in Windows 8.1.

Many thanks,
Brian.
LVL 26
redmondbAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
It is a difference if you disallow active content in mails - you do, of course - or use macros. Of course I use macros to do similar stuff (while building something much better for SPAM filtering), and there is nothing bad about that.

Notepad content cannot be active, and hence do any harm. There could be a flaw in the Niotepad implementation (or the graphics card driver), but noone will ever use that for malicious purposes as it just doesn't pay out without a broad base being vulnerable against it ;-).
0
 
rindiCommented:
I would disable macros altogether with mail. Macros are one of the main points how viruses get into your system via E-Mail, for example many of the ransomware uses that as one of the ways to get in.
0
 
btanExec ConsultantCommented:
Should default disable macro in Office, turn on in Exchange for inspection of active script email attachment and disable browser active scripting like use of NoScript plugin for Chrome and FF. Ransomware has been delivered by the those script based files which should have been filtered off from user client machine.

Best practice for finding executable content in transport rules for Exchange
https://blogs.technet.microsoft.com/eopfieldnotes/2014/10/14/best-practices-for-finding-executable-content/
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
redmondbAuthor Commented:
Thanks, folks.

Rindi
I'm running the macro to try to avoid executing anything in the email. Some security settings...
 - Attachment Preview is turned off.
 - "Notifications for digitally signed macros, all other macros disabled."
 - I don't use the reading pane.
 - I'm only automatically downloading images for whitelisted senders or Trusted Zone sites.

Qlemo
"while building something much better for SPAM filtering"
I'm all ears! Could you tell me more about this, please?
BTW, I'm pretty happy that, once the data has been extracted, simply pasting it into Notepad isn't a problem - it's processing the email to get the data in the first place that's my concern.

btan
I'm not using Exchange, instead all of my emails are coming via POP from GMail, Yahoo, etc.
0
 
btanExec ConsultantCommented:
Webmail via browser cam consider use of NoScript https://noscript.net/features

Using it, as a whole via browser, yu will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you're just surfing randomly, or permanently, when you visit it often and you really trust it.

I am think most time it is spam or unknown sender that send phishing email carrying those malicious attachment or links. So maybe we can reduce by kicking out the spam as first cut. The other on execution control, we may want to leverage on Applocker for whitelisted appl or script to run though not foolproof. The use if SPF, DKIM and DMARC should mitigate those unsolicited email sender and domain.

You may want to check out Mailwasher

MailWasher retrieves information about all your email on the server. With that information (some of which is also processed by MailWasher), you can decide what to do with each individual email - download or delete.

If you check your accounts with MailWasher first, you can delete the email you do not want. Then, when you use your email program, it downloads only the remaining email, those that you want to read.
http://www.firetrust.com/products/mailwasher-pro/support/frequently-asked-questions#how-do-i-use-mailwasher-pro

Or SpamReader which support rules to identify prior opening to unsolicited mail
http://www.spam-reader.com/outlook-spam-blocker.shtml
0
 
redmondbAuthor Commented:
btan,

Thanks for the suggestions (I'm already using Norton Security and the number of accounts and emails means that using a browser instead of Outlook is not an option), but this question is about identifying issues with my current approach.
0
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
Neither processing in VBA nor pasting/displaying in Notepad is a danger per se. Uncaptured buffer overflows can always be used to inject malicious stuff, but I don't know of any, and the effectivity of such an exploit is questionable, so a tailored attack is very unlikely.

The "building .. SPAM .." note is refering to one of the many commercial on-site SPAM filter products allowing the users to gain individual control over their setting, so nothing to tell much about :D.
0
 
btanExec ConsultantCommented:
Thanks. I see it safe with the notepad as long as it is not save with a file extension of those active script like below. It is not straightforward to run the exploit in that extracted form.

Executable rules: .exe, .com
Windows Installer rules: .msi, .msp
Scripts rules: .ps1, .bat, .cmd, .vbs, .js

As long as we do not open the attachment directly by double clicking as it associated with the default appl to run it, but instead open it with hex editor (not office) or a sandbox notepad editor via sandboxie it minimally help to mitigate the risk on any dropper file footprint infecting the host actual system files.

Just my cents
0
 
redmondbAuthor Commented:
Thanks, folks, that's my peace of mind restored.

I'm giving the solution to qlemo as his answers were most focused on my question. In addition, he also alerted me to the possibility of, presumably, "non-printable" characters upsetting Notepad. I'll change the macro to drop these.

Cheers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.