Wednesday, June 20, 2018

Daily Blog #399: Exploring Extended MAPI part 10

Hello Reader,
          In yesterdays post, i'm in the middle of a 37 hour journey to Sydney so its all a blur to me, we talked about the ClientInfo propert within the extended MAPI data. I was talking about how this property could be found in sent messages but didn't consider that MAPI data from a sender would be carried over to the receiver in terms of how the message was sent.

Well, I was wrong! It turns out in my testing that atleast messages sent within an exchange server retain the ClientInfo property of the sender on the messages received and stored by the recipients. I went though emails I received from my coworkers and when I did I found a range of ClientInfo strings two of which I'm going to talk about in the post.

The first is one of my coworkers emailing me from his phone:


As you can see not only did it provide the method of connection, in this case ActiveSync meaning it was sent from a phone, but also the email address associated with the ActiveSync connection.

In this example one of coworkers was using OWA and rather than try to make a screenshot of a long string I just copied it out of the property:

"Client=OWA;Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/66.0.3359.181Safari/537.36;"

Here I can tell it was sent via Webmail (OWA) the version of Windows (Windows 10) and what web browser (Chrome) and profile all the messages they've sent me. 

My first instinct was this must be some new X-mpailer entry and this data must be in the header. So I loaded up the header and did not find a X-mailer header entry or any entry that appears to store this data. I saw this but there are multiple base64 encoded entries in the headers now that I will start going through tomorrow, but on its face this ClientInfo property is not in the headers and it is being populated/provided within an Exchange server organization.

So how would I use this in a case? Let's say I'm trying to identify when an internal user stared sending emails from an attacker who lets just say was trying to get a wire transfer sent out. Well alot of the good attackers will delete their sent messages, so now you can get through all the messages the employees received and identify even faster which ones came from the attacker by isolating which Clients which employees were using and which the attacker was using.

As this series continues I'll be writing python code to automate this analysis and I'm looking forward to finding out what all we can mine out!