π

A Reasonable Secure Environment for Reading Potentially Harmful Emails

Show Sidebar

Consider following situation: you are responsible for important things within your company. One of those responsibilities is that you are the one that gets job applications or emails from potential business partners. Of course, your company is using the most dangerous IT environment there is: MS Windows, Exchange/Outlook, MS Office, Adobe Acrobat Reader, IE with flash.

You Are Exposed

You have basically all important attack vectors against you. It is just a matter of time that you are going to open an infected email or infected attachment. Without noticing, your computer gets turned into a gateway for the bad guys. The whole network gets infiltrated using your computer. A competitor is able to get the source code of your latest product, all financial documents got leaked. Or you infect the whole company with ransomware. Not funny. Welcome to a thing called spear phishing.

According to many statistics from independent sources, this happens more often than we think. Even when a company notices an attack - which they hardly do - most attacks do not get reported anywhere.

And yes, it is that easy to hi-jack a computer using Outlook, IE, Flash, Word, and so on.

What To Do About That

Since not everybody is able to choose their environment and switch over to a secure operating system that allows safe opening of malware-infected documents, you have to look for a workaround.

I have tested a method using free and open source tools which can be set-up by any IT savvy person within an hour or so.

The basic idea is to use a VirtualBox container (VM) with a minimal GNU/Linux operating system. In this VM, a hardened web browser is accessing the Outlook on the web, previously known as Outlook Web Access (OWA). For opening attachments, a hardened PDF viewer and Office package is used.

The user gets a shortcut link to the VM on his/her desktop. After starting the link, a new window appears, the user logs into the web-based Outlook using his/her credentials (not using the insecure password storage of the browser). Any email can be opened and read. Attachments can be opened in the hardened applications. To be on the safe side, you can even configure the VM that way that nothing gets persisted on its virtual hard disk. This way, the VM always starts in the same status and no malware is able to persist itself in the system.

How I Did It

Here is a brief list of tasks I did which you can follow:

Configure xfce4

Configure Firejail

Configure Firefox

Configure LibreOffice

Finalize the VM

Result

When the windows user starts the link on his/her desktop, the VM opens up with the OWA log-in screen. After logging in, emails can be read and attachments are opened in an offline sandbox.

You now have to instruct the user how to switch back the mouse to Windows (using the right Ctrl key) and to properly shut down the VM.

Enjoy.

No Silver Bullet

To be clear about it: this method is no silver bullet. Yes, you may infect your (GNU/Linux) environment but it is much harder to do. If you transfer malicious files from this VM to your Windows machine or still open (or preview) malicious emails in Outlook, you can get hacked.

For many threats, this VM encapsulation with offline PDF reader and office tools offers a viable method to stay sane.

Comment via email or via Disqus comments below: