DEV Community: Spencer Alessi

How to Check a Sketchy Link Without Clicking It

Spencer Alessi — Fri, 21 Feb 2020 13:28:32 +0000

Let's say you're working through your dozens of emails, responding to clients or customers or business partners and you come across this one email from your bank informing you that you need to reset your password. This email comes completely out of the blue and to top it off you don't recognize the senders email address. Do you click it?

Maybe...maybe not.

Did you know that you can investigate if that link is sketchy or not without clicking on it?

This article and all the articles I write show up on my blog first. Head over there for more Cybersecurity thoughts, tips and write-ups: https://spenceralessi.com

How to sniff out a sketchy link

When it comes to hyperlinks, sometime's it's really obvious it's sketchy, but other times, in the case of look-a-like domains, it can actually be a bit tricky.

Here are a few things that make a link sketchy, when visibly looking at it.

Links that end in uncommon top level domains (TLD). Because the cost to purchase domains within these TLDs are pretty inexpensive, they are very frequently used for spamming and malicious activity. Aside from abc.xyz which is a web site owned by Google's parent Alphabet I don't know of any legit domains with these TLDs.
- Commonly used for spamming/nefarious activity:
  - .xyz
  - .buzz
  - .live
  - .fit
  - .tk
Links that are knock-offs (known as look-a-like domains) of major brands. These are popular because the domain closely resembles that of real brands domains. Depending on how the URL looks in your browser and if you're on a mobile device or on your computer, you may or may not be able to spot these very easily.
- Examples:
  - netflix-mail[.]com
  - t-mogbile[.]com
  - googlre[.]com
  - secure-paypal.com.fraud.hmmmm[.]com
  Note, these domains may or may not be valid at the time of you reading this
Links that contain random numbers and/or letters. These are pretty obvious. Not all are malicious, however, anytime I see a url like this I immediatly get suspicious. It's not a trustworthy link in my opinion and should be investigated further.
- Examples:
  - eqbqcguiwcymao[.]info

Checking a link without clicking

There is definitly no shortage of URL and website scanners out there. I've tried dozens of them. None of them seem as good to me as URLscan. It's fast, extremely detailed, provides a live screenshot and it allows you to link out to other scanns to check them as well.

URLScan - https://urlscan.io

My go-to move with any sketchy links is to pop them into URLScan and see what comes up. To do that, just head on over to https://urlscan.io. Then just simply copy and paste the link you want to scan into the scan field. Once there you can also click Options and make your scan Private, which sometimes is nice to do, since Public scans will show up on the front page and in searches.

Now that you have your link pasted in, click Scan! Once URLScan is finished checking our your link, doing it's analysis and fingerprinting it will bring you to a results page that looks something like this.

Note, this is an example results page of a known malicious site.

Live Screenshot. This allows you to visibly see if there might be anything weird going on with the site. This is good for sniffing out things like misspelled words on login pages.
Google Safe Browsing rating. This is a nice quick view of if the website is safe or potentially nefarious.
Lookup the URL with other scanners. The lookup tab allows you to pick any of a number of other website scanners. This can help you gleen additional information about the site you're scanning incase you're still not sure about it.

Caution when Clicking

It's a bit cliche by now but, think before you click! It only takes a few minutes to pause, copy and paste the link into URLScan and check it out first before clicking.

If you're at work and have an IT Department or Security Team, send it over to them and ask them to investigate it for you. It's better to wait 10 minutes to get a link checked out than spend 10 weeks recovering from a security incident.

Additional Information

I did some googling on this topic and found some good articles related to suspcious and or malicious domains. The articles below go into much more detail on TLDs and their use for malicious or spammy activity. If you're into the technical nitty gritty these would be great reads.

Quick And Easy Ways to Protect Your Company From CEO Fraud

Spencer Alessi — Mon, 08 Apr 2019 01:49:09 +0000

In this blog post (that originally appeared on my website: https://www.spenceralessi.com/Quick-And-Easy-Ways-To-Protect-Your-Company-From-CEO-Fraud) i'm going to share one quick and easy technique you can use to protect your company from 2 different types of CEO fraud.

The technique I detail in this blog post is not the only way to detect these emails. It's just one of many ways. Also. please know that nothing in this blog post is new or ground breaking. I don't propose any new fancy techniques. There are times in security where detection and prevention just comes down to a few simple, yet tedious tasks. This is one of those situations.

By using a little understanding of what attackers try to do with some regular expression knowledge you can mitigate a good chuck of CEO fraud emails. My hope is that you get some value from this or maybe it prompts you to think about your phishing detection a little bit differently.

What is CEO Fraud? What are Look-alike/Misspelled Domain Names?

CEO Fraud is a type of phishing email technique where an attacker targets your accounting or billing managers, CFO, HR or other executive. The attacker will use your CEO's name along with a look-alike or Misspelled email address that's similar to your companies in order to trick your billing manager into wiring money or convince your HR manager into sending W2's. The emails that use this strategy usually have some kind of financial or employee tax record motive to them. A look-alike or Misspelled domain name is pretty self explanatory. Attackers will try to use a domain that looks similar to your company's domain. Sometimes this can be very tricky!

Now, the first thing to tackle before jumping into this is to make sure you have the proper spoofing protections in place. If an attacker can spoof your companies domain, that's going to make it extremely difficult for your users to detect. So do that first. Then move onto this technique.

CEO Fraud Technique 1: look-alike/Misspelled Domain Names

The thing I want you to focus on here is the domain, everything after the @ symbol. In this blog post, my made up CEO's name is Jack Carter and the company email is eureka[.]com.

If you're a syfy fan you will know that Jack Carter was the quirky and trouble prone Sheriff of a town called Eureka in the show with the same name. I love that show. It's about a town of geniuses that are always causing trouble, blowing stuff up or wreaking some other kind of havoc on the town.

What attackers are hoping is that your billing manager or HR rep doesn't pay attention to the sender's information, sees the name, which matches the CEO's name, glances over the look-alike/Misspelled domain name and continues onto the body of the email. Attackers are banking on your co-workers just being lazy. Encourage your users to stay vigilant and stay aware!

Ok here's an example of what i'm talking about:

a) Jack Carter <jcarter@eureka.com>

b) Jack Carter <jcarter@euneka.com>

Can you spot the difference between the two? Which one is the real Jack Carter?

The answer is a.

look-alike/Misspelled Domain Name Detection

One way to detect these emails is to compare the sender address with that of your CEO's actual email address using regular expressions.

Here's some regex that can be used to detect look-alike or Misspelled domain names that use letter and character substitutions.

Blue highlighted text = text matches regex

Letter Substitution

@e(?:[^u]reka|u[^r]eka|ur[^e]ka|ure[^k]a|urek[^a]|eurk[^a])\.com

Detection

Play with this regex: https://regex101.com/r/tPVqPG/1/

Character Substitution

@e(?!ureka\.com).?u.?r.?e.?k.?a\.com

Detection

Play with this regex: https://regex101.com/r/nv7uIT/1

CEO Fraud Technique 2: Using your CEO's Name with a Random Domain Name

As the title of this section implies, there is another technique that I have seen attackers use. They will use your CEO's name or a variation of their name combined with a random domain name.

The thing I want you to focus on here is the sender name, everything before the @ symbol. Again, in this blog post, my made up CEO's name is Jack Carter and the company email is eureka[.]com.

I will repeat myself here because it's so important.. Attackers are hoping is that your billing manager or HR rep doesn't pay attention to the sender's information, sees the name, which matches the CEO's name and continues onto the body of the email. Attackers are banking on your co-workers just being lazy. Encourage your users to stay vigilant and stay aware!

Ok here's an example of what i'm talking about:

a) Jack Carter <whizbank@bankerceo.com>

b) Jack Carter <jcarter@eureka.com>

Can you spot the difference between the two? Which one is the real Jack Carter?

The answer is b.

CEO's Name with a Random Domain Name Detection

Just like technique 1, one way to detect these emails is to, this time, compare the sender name with that of your CEO's actual name using regular expressions.

Here's some regex that can be used to detect names that use character substitutions.

Green highlighted text = text that matches a group of regex

character substitution

[jJ][aA][cC][kK]\s[cC][aA][rR][tT][eE][rR]
[jJ][aA][cC][kK]\s[aA-zZ]\s[cC][aA][rR][tT][eE][rR]
[jJ][aA][cC][kK]\s[aA-zZ][.]\s[cC][aA][rR][tT][eE][rR]

You can also combine these into one regex with the | character, wrapped with ()

([jJ][aA][cC][kK]\s[cC][aA][rR][tT][eE][rR]|[jJ][aA][cC][kK]\s[aA-zZ]\s[cC][aA][rR][tT][eE][rR]|[jJ][aA][cC][kK]\s[aA-zZ][.]\s[cC][aA][rR][tT][eE][rR])

Detection

Play with this regex: https://regex101.com/r/u1VvHb/1

Now create your email filtering rules

Once you have some regex figured out, now you can go to your email gateway or whatever you are using to filter email based on rules and create a rule that uses these regular expressions to detect and handle this emails. I would love to include examples of how to do this with different platforms, but at this point, I just don't have access to a variety of platforms.

That’s all I have for now on this topic. I truly hope that someone, maybe 1 or 2 people find value in this. If you did get value from this, please share it and if my thoughts sparked an idea of your own or if you want to continue this conversation, hit me up on Twitter @techspence, I would love to connect!

Using Powershell and Microsoft EWS Managed API to download attachments in Exchange 2016

Spencer Alessi — Tue, 26 Mar 2019 14:46:04 +0000

This blog post originally appeared on my website. You can check it out here(https://www.spenceralessi.com/Using-Powershell-and-Microsoft-EWS-Managed-API-to-download-attachments-in-Exchange-2016).

Have you ever used a piece of software that provides no way of saving attachments or reports directly to a file? Yeah, me too. It's frustrating. I'm very passionate about automating repetitive tasks and the frustration I've had over this particular issue has caused me to look into a solution. What I found was that I can use my beloved Powershell, in combination with Microsoft Exchange Web Services Managed API, to download attachments from my (or any other) outlook mailbox. So, to solve this little problem and add a bit of automation I have created a Powershell script, that runs from a scheduled task, that will do just that. This blog post describes the details of how this Powershell script works. I call it, not so cleverly, EWSEmailAttachmentSaver.

Although this blog post is more related to system administration than security in terms of who would be creating this type of script at a given organization, my opinion is that the same qualities and skills that make up a good sysadmin overlap with the qualities and skills that make up a good information security practitioner. Fortunately, I work for an organization that has a relatively small IT department and I am given the freedom and autonomy to work on projects like this. Also, i've worked my way up the ranks from Help Desk and I am used to creating these scripts and automated processes, because that's what I have been doing the last 8 years. So now onto explaining the script..

But first one quick note.

I think it's really import to make sure you provide good documentation with and/or within your scripts. As I grow and develop my own skills I am reminded regularly how important good documentation is. I will go into more details about this in another post. But know that, if you plan to use a script in a production environment, please do document well, use common language and built-in functions. It helps troubleshoot issues immensely in the future, especially if someone else takes over your scripts.

Resources

Upon deciding I wanted to create a script to automate some of my daily reports I found some very helpful blog posts. The two main blog posts this script was built from are:

Glen's examples and write ups were very helpful in understanding EWS and how to write some Powershell to work with the API. Thanks Glen! If you are interested in learning more about Exchange or Office365 and Powershell, be sure to check out his blog. Glen's Exchange and Office 365 Dev Blog

EWS Email Attachment Saver

Requirements

This script requires:

Exchange 2007 or newer
Exchange Web Services (EWS) Managed API 2.2

User Defined Variables

At the top of the script, under the comment section you will see a handful of user defined variables. If you use this script, most of your changes will occur here. This is all pretty standard stuff.

This script has several functions:

Function LogWrite

Using !(Test-Path $logpath) I first check to see if the path to the log file exists, if not I create it. If it does exist, I use the Add-content cmdlet to send information i've specified to the log file.

Function FindTargetFolder

This function loops through the processed folders path until target folder is found. In my script, i've conveniently make the processed folder directly underneath the root of my mailbox.

Fun little side-note, the root of your mailbox is called the Top Information Store and is sometimes displayed like this \\email@company.com.

Note, that my script assumes that the processed folder is a subfolder of the root of the users mailbox (e.g. \\email@company.com\ProcessedFolder)

Fun little fact I found out was that, if you change the processed folder to be underneath any other folder, including the Inbox, the script requires slight modification.

If your processed folder is a subfolder under any other folder you must change $processedfolderpath and $tftargetidroot appropriately.

To quickly view the outlook folder location, right click on a folder in outlook, then click properties.

Example: processed folder is a subfolder of the root mailbox: Location: \\email@company.com\ProcessedFolder

$processedfolderpath = "/ProcessedFolder"
$tftargetidroot = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$mailbox)

Example, processed folder is a subfolder of Inbox: Location: \\email@company.com\Inbox\ProcessedFolder

$processedfolderpath = "/Inbox/ProcessedFolder"
$tftargetidroot = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox,$processedfolderpath)

Function FindTargetEmail

This is the main driver function that controls most of the scripts actions. Essentially this function loops through the emails that have been found using our filters, which I will explain in a minute, then it:

Determines the download location based on the attachment name
Saves the attachment to the download location, then closes it
Marks the email(s) as read then moves them to the processed folder

As you can see there are some splitting of attachment names and some hackery to make sure I move the files to the correct monthly folder. This is just my own OCD, it's not really necessary. :)

Using the Exchange EWS API

Now that i've explained what the functions do, we can move on to explaining the Exchange EWS API. To learn more about it, see Download the Microsoft Exchange Web Services Managed API 2.2 from.

Download and Install the EWS Managed API

Once you download and install the Exchange EWS API components you need to load the appropriate EWS dll for the API namespace you want to use. By loading the Microsoft.Exchange.WebServices.Data namespace we have access to a majority of the EWS classes and methods. Here is how you load the EWS dll.

$dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll"
[void][Reflection.Assembly]::LoadFile($dllpath)

Once you load the Webservices dll you can begin working with it. To read more about the EWS API see: Microsoft EWS Managed API Reference. Also note, there are multiple namespaces, for example, for things such as Autodiscover and Authentication, I suggest reviewing them if you want to learn more or mess around with other functionality.

Create an EWS Service Object

Now you need to create an EWS Service Object for the target mailbox. There are many ways you can authentication to the EWS API. For my script I chose to just use my organizations Autodiscover URL, which allows me to authenticate using the user who is running the script.

$exchangeservice.UseDefaultCredentials = $true
$exchangeservice.AutodiscoverUrl($mailbox)

This also makes it convenient for me when I create a scheduled task out of this script. I can permission a service account accordingly without having to worry about hard coding credentials in my script. Hard coded creds should be avoided at all costs.

Bind to the Inbox

Now you need to simply Bind to the users Inbox. There are again a few ways to do this. I chose to use the WellKnownFolderName enum. WellKnownFolderName defines common folder names that are used in a users mailbox.

$inboxfolderid = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox,$mailbox)
$inboxfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($exchangeservice,$inboxfolderid)

Configure Search Filter

One of the last things to do is to create some search filters for the emails we are targeting. This time we are going to use the EmailMessageSchema class combined with the IsRead, Subject and HasAttachments fields. The subject I am targeting can be seen in the user defined variables section. I am looking for emails that contain the subject "Path Report." The other filters should be pretty self explanatory.

One cool thing to note is you can chain these filters together, throw an And at the end and create some logic out of it.

Once you create those variables you add them all up into a collection and use that to find all the emails you're targeting.

$sfunread = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::IsRead, $false)
$sfsubject = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring ([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::Subject, $subjectfilter)
$sfattachment = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::HasAttachments, $true)
$sfcollection = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+SearchFilterCollection([Microsoft.Exchange.WebServices.Data.LogicalOperator]::And);
$sfcollection.add($sfunread)
$sfcollection.add($sfsubject)
$sfcollection.add($sfattachment)

"View" the Results

I create a view filter so as to limit the query overhead. I chose to make this script view 10 items at a time. This was a tip I found from Using PowerShell and EWS to monitor a mailbox.

$view = New-Object -TypeName Microsoft.Exchange.WebServices.Data.ItemView -ArgumentList 10
$foundemails = $inboxfolder.FindItems($sfcollection,$view)

Then I just call FindTargetFolder($processedfolderpath) and FindTargetEmail($subject) and you're done.

Now hit that command line, navigate to the folder where your script resides, and run it using .\EWSEmailAttachmentSaver.ps1. Make sure you always test your code in a development or test environment BEFORE moving to production. Test, test, test!

If anyone gets value from this, I would love to know what specifically. And if you have any comments, questions or feedback about anything I wrote above, I would love to continue the dialog on Twitter. Hit me up @techspence