public static ILookup <string, string> HeaderLookup(this MailItem mailItem)
{
var headerString = mailItem.HeaderString();
var headerMatches = Regex.Matches(headerString, HeaderRegex, RegexOptions.Multiline).Cast <Match>();
return(headerMatches.ToLookup(h => h.Groups["header_key"].Value, h => h.Groups["header_value"].Value));
}
private void CreateNewMailToSecurityTeam(IRibbonControl control)
{
Selection selection =
Globals.ThisAddIn.Application.ActiveExplorer().Selection;
if (selection.Count == 1) // Check that selection is not empty.
{
object selectedItem = selection[1]; // Index is one-based.
Object mailItemObj = selectedItem as Object;
MailItem mailItem = null; // selectedItem as MailItem;
if (selection[1] is Outlook.MailItem)
{
mailItem = selectedItem as MailItem;
}
MailItem tosend = (MailItem)Globals.ThisAddIn.Application.CreateItem(OlItemType.olMailItem);
tosend.Attachments.Add(mailItemObj);
#region create mail from default
try
{
tosend.To = Properties.Settings.Default.Security_Team_Mail;
tosend.Subject = "[User Alert] Suspicious mail";
tosend.CC = Properties.Settings.Default.Security_Team_Mail_cc;
tosend.BCC = Properties.Settings.Default.Security_Team_Mail_bcc;
#region retrieving message header
string allHeaders = "";
if (selection[1] is Outlook.MailItem)
{
string[] preparedByArray = mailItem.Headers("X-PreparedBy");
string preparedBy;
if (preparedByArray.Length == 1)
{
preparedBy = preparedByArray[0];
}
else
{
preparedBy = "";
}
allHeaders = mailItem.HeaderString();
}
else
{
string typeFound = "unknown";
typeFound = (selection[1] is Outlook.MailItem) ? "MailItem" : typeFound;
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.MeetingItem) ? "MeetingItem" : typeFound;
}
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.ContactItem) ? "ContactItem" : typeFound;
}
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.AppointmentItem) ? "AppointmentItem" : typeFound;
}
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.TaskItem) ? "TaskItem" : typeFound;
}
allHeaders = "Selected Outlook item was not a mail (" + typeFound + "), no header extracted";
}
#endregion
string SwordPhishURL = SwordphishObject.SetHeaderIDtoURL(allHeaders);
if (SwordPhishURL != SwordphishObject.NoHeaderFound)
{
string SwordPhishAnswer = SwordphishObject.SendNotification(SwordPhishURL);
}
else
{
tosend.Body = "Hello, I received the attached email and I think it is suspicious";
tosend.Body += "\n";
tosend.Body += "I think this mail is malicious for the following reasons:";
tosend.Body += "\n";
tosend.Body += "Please analyze and provide some feedback.";
tosend.Body += "\n";
tosend.Body += "\n";
tosend.Body += GetCurrentUserInfos();
tosend.Body += "\n\nMessage headers: \n--------------\n" + allHeaders + "\n\n";
tosend.Save();
tosend.Display();
}
}
catch (System.Exception ex)
{
MessageBox.Show("Using default template" + ex.Message);
MailItem mi = (MailItem)Globals.ThisAddIn.Application.CreateItem(OlItemType.olMailItem);
mi.To = Properties.Settings.Default.Security_Team_Mail;
mi.Subject = "Security addin error";
String txt = ("An error occured, please notify your security contact and give him/her the following information: " + ex);
mi.Body = txt;
mi.Save();
mi.Display();
}
}
else if (selection.Count < 1) // Check that selection is not empty.
{
MessageBox.Show("Please select one mail.");
}
else if (selection.Count > 1)
{
MessageBox.Show("Please select only one mail to be raised to the security team.");
}
else
{
MessageBox.Show("Bad luck... this case has not been identified by the dev");
}
}
private void CreateNewMailToSecurityTeam(IRibbonControl control)
{
Selection selection =
Globals.ThisAddIn.Application.ActiveExplorer().Selection;
if (selection.Count == 1) // Check that selection is not empty.
{
object selectedItem = selection[1]; // Index is one-based.
Object mailItemObj = selectedItem as Object;
MailItem mailItem = null; // selectedItem as MailItem;
if (selection[1] is Outlook.MailItem)
{
mailItem = selectedItem as MailItem;
}
MailItem tosend = (MailItem)Globals.ThisAddIn.Application.CreateItem(OlItemType.olMailItem);
tosend.Attachments.Add(mailItemObj);
#region create mail from default
try
{
tosend.To = Properties.Settings.Default.Security_Team_Mail;
tosend.Subject = Resources.EmailSubject;
tosend.CC = Properties.Settings.Default.Security_Team_Mail_cc;
tosend.BCC = Properties.Settings.Default.Security_Team_Mail_bcc;
#region retrieving message header
string allHeaders = "";
if (selection[1] is Outlook.MailItem)
{
string[] preparedByArray = mailItem.Headers("X-PreparedBy");
string preparedBy;
if (preparedByArray.Length == 1)
{
preparedBy = preparedByArray[0];
}
else
{
preparedBy = "";
}
allHeaders = mailItem.HeaderString();
}
else
{
string typeFound = "unknown";
typeFound = (selection[1] is Outlook.MailItem) ? "MailItem" : typeFound;
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.MeetingItem) ? "MeetingItem" : typeFound;
}
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.ContactItem) ? "ContactItem" : typeFound;
}
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.AppointmentItem) ? "AppointmentItem" : typeFound;
}
if (typeFound == "unknown")
{
typeFound = (selection[1] is Outlook.TaskItem) ? "TaskItem" : typeFound;
}
allHeaders = Resources.ItemNotMail;
}
#endregion
string SwordPhishURL = SwordphishObject.SetHeaderIDtoURL(allHeaders);
if (SwordPhishURL != SwordphishObject.NoHeaderFound)
{
string SwordPhishAnswer = SwordphishObject.SendNotification(SwordPhishURL);
}
else
{
tosend.Body = Resources.EmailBody_line1; //"Hello, I received the attached email and I think it is suspicious";
tosend.Body += "\n";
tosend.Body += Resources.EmailBody_line2; //"I think this mail is malicious for the following reasons:";
tosend.Body += "\n";
tosend.Body += Resources.EmailBody_YourReason;
tosend.Body += "\n";
tosend.Body += Resources.EmailBody_line3; //"Please analyze and provide some feedback.";
tosend.Body += "\n";
tosend.Body += "\n";
tosend.Body += GetCurrentUserInfos();
tosend.Body += "\n\n" + Resources.EmailBody_msgHeader + ": \n--------------\n" + allHeaders + "\n\n";
tosend.Save();
tosend.Display();
}
}
catch (System.Exception ex)
{
MessageBox.Show(Resources.UsingDefaultTemplate + ex.Message, Resources.MsgBox_Title);
MailItem mi = (MailItem)Globals.ThisAddIn.Application.CreateItem(OlItemType.olMailItem);
mi.To = Properties.Settings.Default.Security_Team_Mail;
mi.Subject = Resources.ErrorSubject;
String txt = (Resources.ErrorText + ex);
mi.Body = txt;
mi.Save();
mi.Display();
}
}
else if (selection.Count < 1) // Check that selection is not empty.
{
MessageBox.Show(Resources.MsgSelectOneMail, Resources.MsgBox_Title);
}
else if (selection.Count > 1)
{
MessageBox.Show(Resources.MsgSelectOnlyOneMail, Resources.MsgBox_Title);
}
else
{
MessageBox.Show(Resources.MsgBadLuck, Resources.MsgBox_Title);
}
}
/*
* Helper functions
*/
private void reportPhishingEmailToSecurityTeam(IRibbonControl control)
{
Selection selection = Globals.ThisAddIn.Application.ActiveExplorer().Selection;
string reportedItemType = "NaN"; // email, contact, appointment ...etc
string reportedItemHeaders = "NaN";
if (selection.Count < 1) // no item is selected
{
MessageBox.Show("Select an email before reporting.", "Error");
}
else if (selection.Count > 1) // many items selected
{
MessageBox.Show("You can report 1 email at a time.", "Error");
}
else // only 1 item is selected
{
if (selection[1] is Outlook.MeetingItem || selection[1] is Outlook.ContactItem || selection[1] is Outlook.AppointmentItem || selection[1] is Outlook.TaskItem || selection[1] is Outlook.MailItem)
{
// Identify the reported item type
if (selection[1] is Outlook.MeetingItem)
{
reportedItemType = "MeetingItem";
}
else if (selection[1] is Outlook.ContactItem)
{
reportedItemType = "ContactItem";
}
else if (selection[1] is Outlook.AppointmentItem)
{
reportedItemType = "AppointmentItem";
}
else if (selection[1] is Outlook.TaskItem)
{
reportedItemType = "TaskItem";
}
else if (selection[1] is Outlook.MailItem)
{
reportedItemType = "MailItem";
}
// Prepare Reported Email
Object mailItemObj = (selection[1] as object) as Object;
MailItem mailItem = (reportedItemType == "MailItem") ? selection[1] as MailItem : null; // If the selected item is an email
MailItem reportEmail = (MailItem)Globals.ThisAddIn.Application.CreateItem(OlItemType.olMailItem);
reportEmail.Attachments.Add(selection[1] as Object);
try
{
reportEmail.To = Properties.Settings.Default.infosec_email;
reportEmail.Subject = (reportedItemType == "MailItem") ? "[POTENTIAL PHISH] " + mailItem.Subject : "[POTENTIAL PHISH] " + reportedItemType; // If reporting email, include subject; otherwise, state the type of the reported item
// Get Email Headers
if (reportedItemType == "MailItem")
{
reportedItemHeaders = mailItem.HeaderString();
}
else
{
reportedItemHeaders = "Headers were not extracted because the reported item is not an email. It is " + reportedItemType;
}
// Check if the email is a simulated phishing campaign by Information Security Team
string simulatedPhishingURL = GoPhishIntegration.setReportURL(reportedItemHeaders);
if (simulatedPhishingURL != "NaN")
{
string simulatedPhishingResponse = GoPhishIntegration.sendReportNotificationToServer(simulatedPhishingURL);
// DEBUG: to check if reporting email reaches GoPhish Portal
// MessageBox.Show(simulatedPhishingURL + " --- " + simulatedPhishingResponse);
// Update GoPhish Campaigns Reported counter
Properties.Settings.Default.gophish_reports_counter++;
// Thanks
MessageBox.Show("Good job! You have reported a simulated phishing campaign sent by the Information Security Team.", "We have a winner!");
}
else
{
// Update Suspecious Emails Reported counter
Properties.Settings.Default.suspecious_reports_counter++;
// Prepare the email body
reportEmail.Body = GetCurrentUserInfos();
reportEmail.Body += "\n";
reportEmail.Body += GetBasicInfo(mailItem);
reportEmail.Body += "\n";
reportEmail.Body += GetURLsAndAttachmentsInfo(mailItem);
reportEmail.Body += "\n";
reportEmail.Body += "---------- Headers ----------";
reportEmail.Body += "\n" + reportedItemHeaders;
reportEmail.Body += "\n";
reportEmail.Body += GetPluginDetails() + "\n\n";
reportEmail.Save();
//reportEmail.Display(); // Helps in debugginng
reportEmail.Send(); // Automatically send the email
// Enable if you want a second popup for confirmation
// MessageBox.Show("Thank you for reporting. We will review this report soon. - Information Security Team", "Thank you");
}
// Delete the reported email
mailItem.Delete();
}
catch (System.Exception ex)
{
MessageBox.Show("There was an error! An automatic email was sent to the support to resolve the issue.", "Do not worry");
MailItem errorEmail = (MailItem)Globals.ThisAddIn.Application.CreateItem(OlItemType.olMailItem);
errorEmail.To = Properties.Settings.Default.support_email;
errorEmail.Subject = "[Outlook Addin Error]";
errorEmail.Body = ("Addin error message: " + ex);
errorEmail.Save();
//errorEmail.Display(); // Helps in debugginng
errorEmail.Send(); // Automatically send the email
}
}
else
{
MessageBox.Show("You cannot report this item", "Error");
}
}
}
// Calculating method
public ModelScoring getSummary(MailItem mailItem)
{
// Return if there was a calculation before
if (checkedMails.ContainsKey(mailItem.EntryID))
{
return(checkedMails[mailItem.EntryID]);
}
var CheckResults = new List <CheckResult>();
AnalyzerBody bodyAnalyse = new AnalyzerBody();
AnalyzerAttachement attachmentAnalyze = new AnalyzerAttachement();
AnalyzerMeta metaAnalyze = new AnalyzerMeta();
Action <List <CheckResult> > addRange = x =>
{
if (x != null)
{
x.RemoveAll(y => y == null);
CheckResults.AddRange(x);
}
};
addRange(bodyAnalyse.Analyze(mailItem?.HTMLBody));
addRange(attachmentAnalyze.Analyze(mailItem?.Attachments));
addRange(metaAnalyze.Analyze(mailItem));
Debug.WriteLine("---CHECK RESULTS---");
foreach (CheckResult cr in CheckResults)
{
Debug.WriteLine(cr);
}
Debug.WriteLine("---END CHECK RESULTS---");
// Write a new model in checked List and return it
checkedMails.Add(mailItem.EntryID, new ModelScoring(bodyAnalyse.Score + attachmentAnalyze.Score + metaAnalyze.Score, CheckResults, mailItem.HeaderString(), mailItem.EntryID));
return(checkedMails[mailItem.EntryID]);
}