0

I have in my inbox what I believe to be (95% sure) a phishing attack email or my IT department doing a phishing attack knowledge awareness campaign.

I'm a very curious person by nature and I'd like to poke around and see what is under the hood. What would be the safest way to open the document to see its actions and eventually de-compile it (I'm thinking of using JetBrains dotPeek).

Currently my plan is to spin up a VM install Sandboxie (probably overkill) and open up the attachment.

My question is what settings/steps should I take into consideration on my VM before opening up the attachment. Are there default ports open that would expose areas of attack to this attachment or [Insert knowledge you know that I don't even know to ask]. Secondly can I simulate that the VM is connected to the internet/network without being connected. In the case that the app waits for a connection before pinging/triggering.

Also what application would you use to track outbound requests made by the attachment or internal alterations to the OS/Environment/...

I'm leaving out the attachment type because I'd like to make a glass cage (I can see it but it can't interact with me) as general purpose tool.

Lastly I'm 90% sure but I'm still going to check. Downloading an attachment and not opening it is safe. There are no known vulnerabilities exposed in just downloading a file as long as it is not opened or executed (Is there a background process that could scan the file and could trigger it somehow)? If this is not safe, how would you transfer the file from an Outlook email to the VM?

schroeder
  • 125,553
  • 55
  • 289
  • 326

0 Answers0