Remove Outlook constraint

[n3tsurge]

It would be more efficient to use EWS to periodically poll your phishing mailbox and send the reply than to install an Outlook client and leave it open on a server.

# Build a connection the Exchange Server
        $ExchangeService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
        $ExchangeService.Credentials = New-Object System.Net.NetworkCredential("DOMAIN\phishing", "<credentials>")
        $ExchangeService.Url = "https://mymailserver/EWS/Exchange.asmx"

        # Find the Inbox for the Phishing Mailbox
        $folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox,$Mailbox)     
        $Inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ExchangeService,$folderid)

        # Define a filter to only grab unread items
        $view = New-Object Microsoft.Exchange.WebServices.Data.ItemView(10)
        $SearchFilter = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::IsRead, $false)

        # Search the Inbox for unread items
        $Items = $Inbox.FindItems($searchFilter, $view)
        $itemCount = $Items.TotalCount

[gfoss]

This is great, thanks! I'll take a look over the next few days.

[n3tsurge]

No problem, I saw the talk on this in Vail and was interested to see how it worked under the hood, went out and started experimenting before this was released to try and self replicate and came away with these shortcuts.

Here is a snippet for sending the response to the reporting user using EWS in case you are interested in that as well.

Just create the HTML formatted email. Make sure you reference any pictures in the HTML using their cid, and they have to be added as an inline attachment (see the Send-ThankYou snippet)

<img width=220 height=121 style='width:2.2916in;height:1.2604in' id="Picture_x0020_2" src="cid:logo.png" alt="cid:logo.png">

Function to send Thank You E-mail

function Send-ThankYou {
    Param(
        [string]$MailTo,
        [Microsoft.Exchange.WebServices.Data.ExchangeService]$Service,
        [switch]$Error
    )

    $email = New-Object Microsoft.Exchange.WebServices.Data.EmailMessage($Service)

    $email.Subject = "Thank you for your Phishing submission"
    $email.body = Get-Content $scriptPath"\Thank You.html" -Raw
    [void]$email.ToRecipients.Add($MailTo)
    [void]$email.Attachments.AddFileAttachment("logo.png", $scriptPath+"\logo.png")
    $email.Attachments[0].IsInline = $true
    $email.Attachments[0].ContentId = "logo.png"

    $email.SendAndSaveCopy()

}

[gfoss]

Thanks!

I actually have the response aspect of the script configured to use the server, via the O365 phishing report account. I'm looking at adapting your scripts into the next piece, which performs analysis of the email that was submitted. If I can get that figured out, there will be no need to leave Outlook open. :-)

[hbteibetLZ]

Hello @gfoss have you had a chance to look into doing everything via EWS API instead of the Outlook client?

[n3tsurge]

Got a sample here that I was toying with that you can pick apart and use that does the analysis and stuff right in the ps1 and is proxy aware. It does not do any of the LR integration.

https://github.com/krypticnetworks/smells-phishy

[gfoss]

I have not had time to dive into this issue just yet, unfortunately. Appreciate the link to this project though - will have to dive into this and see if I can apply this non-interactive mailbox fix to PIE!

[gfoss]

I believe that I've inadvertently fixed this problem with the following commit:

https://github.com/LogRhythm-Labs/PIE/commit/9e90ee1cdd522c7a63511a3ac4a72e15ba01238a

I was solving a separate issue and a side-effect is that you actually have to leave Outlook closed now in order to process mail properly in the background. If you have some time, please test and let me know if the updated code works for you.