Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft ATP - URL Encoding Breaks Email Reporting Function #1975

Closed
CMS009 opened this issue Sep 17, 2020 · 3 comments
Closed

Microsoft ATP - URL Encoding Breaks Email Reporting Function #1975

CMS009 opened this issue Sep 17, 2020 · 3 comments
Labels
enhancement

Comments

@CMS009
Copy link

CMS009 commented Sep 17, 2020
edited

What version of Gophish are you using?: 0.11.0

Brief description of the issue: When using Microsoft ATP, it's URL encoding seems to break the Email reporting feature. Or if it's looking at X-Headers, I've not determined which one is the culprit.

What are you expecting to see happen? : When a user reports a simulated phishing email that's been processed (URL encoded) by Microsoft ATP, it should show (on the GoPhish campaign page) as successfully reported by the user.

What are you seeing happen? The email is processed (read by GoPhish using IMAP), but does not show as reported in the campaign.

Example of MS ATP encoded format:

https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgophish.example.com%2F%3Frid%3DYbkD7ke&data=02%7C01%7Cuser%40example.com%7Cc44588be037dfcje93gsh29s85b20b877%7C77aa56fb226e4666a99ea1c1b3fc9551%7C0%7C0%7C637359526304827107&sdata=qd8uZgv43w0dkd0274gbh1049fn5lH%2FLhBkLfUtiKeA%3D&reserved=0

Example of MS ATP UTF-8 decoded format:

https://nam10.safelinks.protection.outlook.com/?url=https://gophish.example.com/?rid=YbkD7ke&data=02|01|user@example.com|c44588be037dfcje93gsh29s85b20b877|77aa56fb226e4666a99ea1c1b3fc9551|0|0|637359526304827107&sdata=qd8uZgv43w0dkd0274gbh1049fn5lH/LhBkLfUtiKeA=&reserved=0

Please provide as many steps as you can to reproduce the problem:
It seems if I turn off the Microsoft ATP feature, the plain unencoded URL works (reports as expected).
@glennzw glennzw mentioned this issue Sep 18, 2020
Merged
@glennzw
Copy link
Collaborator

glennzw commented Sep 18, 2020

I modified the regex matching pattern that handles finding ?rid=abc1234 with an or operator to allow either '=' or '%3D' and '?' or '%3F'. I'm not sure if there's a more elegant approach. Another solution is to check for safelinks.protection.outlook.com/?url= and decode the URL that follows, but that's more cumbersome.

I opened a pull request here #1976 with the above fix.

@CMS009 would you mind taking it for a spin and seeing if it works? You'll need to download and compile. In case you need help with that, do the following:

git clone git@github.com:gophish/gophish.git
cd gophish
git checkout imap-microsoft-atp-fix
go build && ./gophish

@jordan-wright
Copy link
Collaborator

Fixed via #1976. If you continue to run into issues, just let us know and we can revisit that fix :)

@CMS009
Copy link
Author

CMS009 commented Sep 24, 2020

@glennzw It works like a champ! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jordan-wright @glennzw @CMS009