Search code examples
imageemailoutlookphishing

Automatically download images in Outlook based upon the mail server

I am currently doing internal phishing campaigns within my company and I am trying to improve the process. One of the issues is that if I include tracking pixels to allow tracking whether an email has been opened or not the image will invariably get blocked by outlook and require the user to manually download it "Click here to download pictures. To help protect your privacy, Outlook prevented automatic download of some pictures in this message,"

Now, I can get around this by adding the spoofed email address in to the safe senders list, but this then means that I have to do this for each campaign and have to then push it out via GPO to everyone. Does anybody know of a way that the mail server can be whitelisted so that any email received from say 10.10.150.200 will have its images automatically downloaded?

Solution

  • You will need to set the PR_BLOCK_STATUS MAPI property - see an excerpt from [MS-OXOMSG].pdf below. Keep in mind that the property must be set on the client side after the message is received - you cannot set the property when sending the message.

    Note that OOM won't help you since it rounds off all date/time values, and you need to have the native FILETIME value to calculate the value of the PR_BLOCK_STATUS MAPI property. And to use Extended MAPI, you will need to use C++ or Delphi.

    If using Redemption (I am its author) is an option (can be used from any language), you can set that property using RDOMail.DownloadPictures property:

    2.2.1.1 PidTagBlockStatus

    Type: PtypInteger32 8

    Indicates the user's preference for viewing external content (such as links to images on an HTTP server) in the message body. A client MAY ignore this value and always allow or block external content based on other factors (such as whether the sender is on a safe list). If this property is used, then the default action is to block the external content. However, if the value of this property falls within a certain range, then viewing external content is allowed. The allowed value is computed from PidTagMessageDeliveryTime: since the sender of a message does not have knowledge of this value, the sender cannot reliably set PidTagBlockStatus to the allowed values.

    To compute the allowed values, convert the value of PidTagMessageDeliveryTime to a PtypDouble, floatdate, where the date is represented as the number of days from midnight, December 30, 1899. Apply the following formula: result = ((floatdate - floor(floatdate)) * 100000000)

    • 3; where floor(x) returns the largest integer ? x. Convert the PtypDouble value result to a 32-bit integer computedvalue. Clients SHOULD set PidTagBlockStatus to computedvalue to allow external content. However, when determining whether to accept external content, clients SHOULD allow external content if the absolute value of the difference between computedvalue and the value of PidTagBlockStatus is 1 or less.