On every external pen-test I do after information gathering and enumeration phase I prepare some spear-phishing campaigns. My favorite method is using Word Macros because most of the companies use a windows environment and the Microsoft Office pack is used widely.
During a pen-test on of the problems that I faced was the mail gateway was rejecting every email that contained macro. Even if it was encoded,obfuscated, encrypted even empty the email gateway rejected our emails.
Since I hadn't some l33t 0day for all the version of Microsoft Word ( company used different versions) , I had to find a different way to spear-phish the employees.
Then I remembered a post about a Word Exploit generator which used an unusual way to track how many times the document was opened. Microsoft Word had an undocumented function that can load a remote picture. The malware creators used http to map the users who opened the files.
Then I thought why not trying the 'file://' handler.
If you want to…
During a pen-test on of the problems that I faced was the mail gateway was rejecting every email that contained macro. Even if it was encoded,obfuscated, encrypted even empty the email gateway rejected our emails.
Since I hadn't some l33t 0day for all the version of Microsoft Word ( company used different versions) , I had to find a different way to spear-phish the employees.
Then I remembered a post about a Word Exploit generator which used an unusual way to track how many times the document was opened. Microsoft Word had an undocumented function that can load a remote picture. The malware creators used http to map the users who opened the files.
Then I thought why not trying the 'file://' handler.
If you want to…