Daily Blog #398: Exploring Extended MAPI Part 9

Exploring Extended MAPI Part 9 - by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
           As I write this I'm flying over Canada and on my way to Sydney via Dubai. Satellite inflight internet really is an amazing thing!

In this post I was going to talk about what was set on the message I forwarded and received yesterday but as I was looking at the extended MAPI fields in OutlookSpy I noticed that several had no description next to them but had dates:

Exploring Extended MAPI Part 9 - by David Cowen - Hacking Exposed Computer Forensics Blog


This was interesting to say the least which sent me on some extensive Googling where I ran across yet another interesting piece of data. There is a MAPI property only set on sent messages that records the type of Client connection that existed when the message was sent.

This was the Client connection type for the message I forwarded to myself sitting in my sent box:

Exploring Extended MAPI Part 9 - by David Cowen - Hacking Exposed Computer Forensics Blog

I found an exchange blog from 2016 about this field: https://gsexdev.blogspot.com/2016/02/mining-clientinfo-property-in-messages.html?view=classic

Now what is interesting to me is three fold:
1. The property tag has changed since 2016 from 0x866F to 0x84A6, which means some reading up on MSDN is order to figure out if there was a reason why
2. My ClientInfo property is showing I sent this using the ExchangeRPC connection from Outlook.
3. The blog post I referenced above showed not just Exchange or OWA but also useragent data from web browsers!

I think this is something we could profile sent messages in a mailbox from. Not only to see messages sent via mobile versus desktop, but also to profile and find all the messages an attacker forwarded or replied to when they were accessing someones mailbox.

I plan to do some testing on this property this week, but I'll need a bit more bandwidth than what this satellite wifi connection can do to do so. So until tomorrow, thanks for reading!



This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment