Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

will just opening malicious email without clicking its attachments/links trigger a compromise?

So far, I've heard that clicking attachments (PDF, MSOffice, png, executables/scripts,
active contents) & links in malicious/phishing/spam emails may risk compromising
the user.

Has anyone come across any email, that just by opening the email content (but
without clicking any attachments, links or 'downloading contents like images')
will compromise the user??  If so, how does such compromise work & how do
we educate users to take precaution against such emails?  Certainly we need
to open to see email contents as just viewing subject heading/sender may not
be good enough.

I'm using Outlook client & webmail (ie browser to access corporate email).

A friend told me that just by opening a gmail in the past (without clicking the
links/attachments in it), things went wrong with her mailbox in gmail.
SOLUTION
Avatar of Rodney Barnhardt
Rodney Barnhardt
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
For the most part it does not happen.  For situations such as above, turn up your Spam filter to High.  Any more than 6 spam emails in a year of high volume email is cause for alarm.
Avatar of sunhux
sunhux

ASKER

So if there's no embedded image, a html email won't compromise?
 
I'm contemplating installing a CDR (Content Disarm & Reconstruction)
solution to deal with embedded image: will it help with 'disarming' &
reassemble an embedded image
I have never used it, but it is supposed to sanitize all files, including images. However, I think most products say they protect against “most images”. I am not sure which ones they may not, but it would greatly reduce your attack vector.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You're more likely to run into denial of service (DOS) exploit that could crash Outlook or Windows by merely viewing the email than one that could install malicious code.  Typically remote code execution would require an exploitable buffer overflow that is specific to your email client, or browser in the case of web based email.  Protections such as DEP, ASLR, etc. increase the difficulty of these attacks.

If you're curious, perform a lookup for "Outlook" @ https://www.exploit-db.com/ and organize the exploits by date.  This will give you an idea of what's possible.

The solution is proactive isolation.  Any application (browser, email client, document viewer, etc.) that interacts with untrusted content should itself be untrusted.  Solutions such as Bromium are the way to go.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The above is one reason why some companies only accept text emails and strip html content.
outlook/options/trust center/email security/check real all standard email as plain text <almost guaranteed you will get complaints)
Avatar of sunhux

ASKER

>ProofPoint spam filter
In my previous workplace, we've seen about 8-12% of spam/phishing
/non-legit emails get past ProofPoint.  At current workplace, surprisingly
with lower-cost products, we have little such non-legit emails;  perhaps
the previous place is a hot-target (financial).

Rodney, noticed that your place use O365 & you mentioned ProofPoint.
There are EE threads saying it's not feasible to have O365 E3/E5 working
with ProofPoint.  Is your place implementing ProofPoint with O365?

It's part of user training not to right-click to download an embedded
image but I guess this plus no clicking of links/attachments are not
good enough.


>some companies only accept text emails and strip html content
Most users will complain if only plain text is allowed
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial