I am currently doing internal phishing campaigns within my company and I am trying to improve the process. One of the issues is that if I include tracking pixels to allow tracking whether an email has been opened or not the image will invariably get blocked by outlook and require the user to manually download it "Click here to download pictures. To help protect your privacy, Outlook prevented automatic download of some pictures in this message,"
Now, I can get around this by adding the spoofed email address in to the safe senders list, but this then means that I have to do this for each campaign and have to then push it out via GPO to everyone. Does anybody know of a way that the mail server can be whitelisted so that any email received from say 10.10.150.200 will have its images automatically downloaded?
You will need to set the PR_BLOCK_STATUS MAPI property - see an excerpt from [MS-OXOMSG].pdf below. Keep in mind that the property must be set on the client side after the message is received - you cannot set the property when sending the message.
Note that OOM won't help you since it rounds off all date/time values, and you need to have the native FILETIME value to calculate the value of the PR_BLOCK_STATUS MAPI property. And to use Extended MAPI, you will need to use C++ or Delphi.
If using Redemption (I am its author) is an option (can be used from any language), you can set that property using RDOMail.DownloadPictures property:
2.2.1.1 PidTagBlockStatus
Type: PtypInteger32 8
Indicates the user's preference for viewing external content (such as links
to images on an HTTP server) in the message body. A client MAY ignore this
value and always allow or block external content based on other factors
(such as whether the sender is on a safe list). If this property is used,
then the default action is to block the external content. However, if the
value of this property falls within a certain range, then viewing external
content is allowed. The allowed value is computed from
PidTagMessageDeliveryTime: since the sender of a message does not have
knowledge of this value, the sender cannot reliably set PidTagBlockStatus to
the allowed values.
To compute the allowed values, convert the value of
PidTagMessageDeliveryTime to a PtypDouble, floatdate, where the date is
represented as the number of days from midnight, December 30, 1899. Apply
the following formula: result = ((floatdate - floor(floatdate)) * 100000000)
3; where floor(x) returns the largest integer ? x. Convert the PtypDouble
value result to a 32-bit integer computedvalue. Clients SHOULD set
PidTagBlockStatus to computedvalue to allow external content. However, when
determining whether to accept external content, clients SHOULD allow
external content if the absolute value of the difference between
computedvalue and the value of PidTagBlockStatus is 1 or less.
Related
I want to send some custom properties in the attachment for interactive messages and retrieve them back in the action response. is there a way to do this?
Yes, that is possible. However, it only works well for small sets of data.
Assuming we are talking about buttons the normal approach would be to use the value field of an action to transfer custom data based on which button the user clicked back to your app. The field is a normal string within a JSON message, which is send by POST request to your app. So it can in principle contain a whole data set, not only a single value. All you need to do is include it in the button attachment that is send to Slack and your app will receive the respective value field back. (depending on what data you want to send you might need to encode it, e.g. you want to encode binary data into base64, so that is can be transferred as JSON string)
I have used it successfully in one of my apps to transfer serialized objects containing information about the user's application context.
There is one caveat though, that caused me to later abandon this approach again. As I found out the field length is limited, so if your string is too long you might end up with truncated data. In my estimation the limit is about 2.000 chars, but I do not have a definitive number.
Instead of transferring all data in the attachment, I now keep the user application context in a server session (PHP) and only transfer IDs through the value field of my buttons.
Conclusion: If you have small sets of data you can transfer them through the value field. If you have larger sets of data I would not recommend it.
It is my understanding that an Outlook contact's "avatar" image is stored as an Attachment object in the Attachments collection (ref).
Now suppose, as an example, that I want to keep my own (separate) contact database updated whenever the user's Outlook contacts change, so I'm registered for a PropertyChange event on the ContactItem. Is there any way to determine whether or not the picture attached to a ContactItem has changed, or do I need to call SaveAsFile() on the ContactPicture.jpg Attachment every time that I get a change notification, just on the off chance that it may have been updated?
There is no any kind of CRC of the attachment data, so you won't know if the actual binary data has changed. You can read the Attachment.Size property, and if it is different from what you had before, the data has changed for sure.
You can also read the PR_CREATION_TIME and PR_LAST_MODIFICATION_TIME properties using Attachment.PropertyAccessor.GetProperty, but these properties are not requires and can stay the same even if the data has changed.
I want to download mails that matches the in-place eDiscovery. I do a GetDiscoverySearchConfiguration(), then I execute SearchMailboxes() for each mailbox that GetDiscoverySearchConfiguration() returns. SearchMailboxes() returns SearchPreviewItems() where I can get the real EmailMessage Id but this does not have the email body, so I have to do another retrieve using FindItems() to get the EmailMessage object.
This is a very slow process, are there any other way to do this?
I would like to get all the mails that I can see in the
preview
Instead of FindItems(), use the ExchangeService.BindToItems() method and provide a collection of the message ids you want in batches. Restrict the property set to only the properties you need. A couple of other thoughts:
- Limit the preview response shape to just the item identifiers since you'll call BindToItems for the properties you need.
- FindItems will only return the first 512 characters of the body.
- Use paging with SearchMailboxes(). Optimal page size will depend on the property set. You'd have to test different page sizes to optimize.
I have an application using Bing Maps API to retrieve coordinates for a postal code and then I perform spatial queries based on the result. There are times where I get empty results, but when I wait a few minutes it succeeds. I added logic that retried a handful of times if there's a failure but that doesn't seem to be helping. Here's the empty result I get back:
{"authenticationResultCode":"ValidCredentials","brandLogoUri":"http://dev.virtualearth.net/Branding/logo_powered_by.png","copyright":"Copyright © 2014 Microsoft and its suppliers. All rights reserved. This API cannot be accessed and the content and any results may not be used, reproduced or transmitted in any manner without express written permission from Microsoft Corporation.","resourceSets":[{"estimatedTotal":0,"resources":[]}],"statusCode":200,"statusDescription":"OK","traceId":"7a6bfca3f89b4f94a4693a410da4feb7|CH10043840|02.00.107.2300|CH1SCH050102529"}
And here's the URL I'm calling:
http://dev.virtualearth.net/REST/v1/Locations?q=50613&o=json&key=MyApiKey
Is there a way I can retrieve further information based on the traceId? Or is this something that's just accepted when using Bing Maps API?
You should firstly check the number of requests you're doing in a specific time and put it in relation with the type of Bing Maps Key you're using. Basic keys are rate limited which means that if you exceed the allowed number of request in a specific duration, you will be blocked.
Bing Maps Trial and basic key and rate limitation information
Those types of key are rate limited for security and logicial reasons (on 24h period and with time between the request) and that's the reason why you're getting a blank response without any information regarding the fact that it failed to geocode.
See the Terms of Use regarding the limitations and other restrictions (load and stress tests as well as hammering are part of it): http://www.microsoft.com/maps/product/terms.html
So, in order to try to analyze where your problem comes from, you might:
Check the type of key you're using and how many calls you're making on a specific period
Check the header of the response, it should include a specific header value: X-MS-BM-WS-INFO set to 1 if you are rate limited
See the MSDN about error handling: http://msdn.microsoft.com/en-us/library/ff701703.aspx
If you're not in this case (if you have an enterprise account), reach the technical support so they can officialy get back to you and check the key.
To my understanding, there is no way to query an entire IMAP account for a total unread count, or the UIDs of all recent messages, regardless of mailbox. That to get a total unread count for the account, you need to iterate over all mboxes and check their status. I've done that, but it's very slow (45 seconds on one of my accounts with many mailboxes).
Mail.app can find new messages, even in deeply nested mailboxes, in just a couple seconds.
Is the speed here just a limitation of using Net::IMAP? Or am I missing some functionality that will return a more limited set of mailboxes, like only ones that have RECENT messages?
The only other option I can think of to use response handlers, and also keep a cache of which mboxes have a counter > 1, and then only check the combination of the two each cycle. But since I'm looking to do this in a script, eliminating the need to carry over a cache would be ideal, if not required.
The canonical way to detect new messages in IMAP is via UIDNEXT. Issuing
A001 STATUS "foldername" (UIDVALIDITY UIDNEXT)
on each folder that you care about will give you the expected next UID for that folder. Here's what the RFC has to say:
Unique identifiers
are assigned in a strictly ascending fashion in the mailbox; as each
message is added to the mailbox it is assigned a higher UID than the
message(s) which were added previously. Unlike message sequence
numbers, unique identifiers are not necessarily contiguous.
The next unique identifier value is the predicted value that will be
assigned to a new message in the mailbox. Unless the unique
identifier validity also changes (see below), the next unique
identifier value MUST have the following two characteristics. First,
the next unique identifier value MUST NOT change unless new messages
are added to the mailbox; and second, the next unique identifier
value MUST change whenever new messages are added to the mailbox,
even if those new messages are subsequently expunged.
So just keep track of the each folder's expected next UID and UID validity value. If a STATUS command results in either UIDNEXT or UIDVALIDITY changing from your cached value, you know you need to check for new mail (if the former) or resync (if the latter).
Something like this:
imap.status("foldername", ["UIDNEXT", "UIDVALIDITY"])