One of the more common ways for sensitive data to leak from an organization is through email. Whether intentionally or through carelessness, employees will often include passwords, financial information, and other important data in emails that wind up in the wrong hands.
Depending upon the kind of information, this can either be slightly embarrassing or potentially catastrophic for the organization. Attackers covet email spools for key corporate employees for just this reason, and Beau Bullock, a security analyst at Black Hills Information Security, has developed a new tool called MailSniper that can identify potentially sensitive information in target email boxes before it leaves the organization.
Part of the motivation for creating the tool was the need for something to search out information in email that could be used to access other accounts during a penetration test, Bullock said.
“Having the power to search through email is huge when hunting for sensitive data. For example, a simple search for the term ‘*password*’ in the body and subject of every email might return instructions on how to access certain systems along with what credentials to use. At an energy company a search for ‘*scada*’ or ‘*industrial control system*’ might return a conversation detailing the location of sensitive ICS devices,” he said in a blog post explaining MailSniper’s functionality.
But there’s also the issue of potentially damaging data leaving the organization, whether it’s financial information or customer data that could represent a regulatory violation.
“At a financial institution a search for ‘*credit card*’ might reveal where employees have been sending credit card numbers in cleartext over email. At a healthcare organization searching for ‘*SSN*’ or ‘*Social Security number*’ could return potential health care data,” he said.
“Organizations can use it for internal investigations or even to determine how widespread malicious emails have propagated.”
MailSniper has two modes, one for searching the current user’s mailbox and another for searching all of the mailboxes in a given domain. Designed to run in Microsoft Exchange environments, the tool can run remotely and gives the user the ability to impersonate the current user and perform a long list of other tasks. Although Bullock developed MailSniper for use by penetration testers mainly, he said it could be used by internal teams as well.
“One example from a non-penetration testing viewpoint would be that internal teams could use it on a regular basis to search for specific terms that should be protected and not leaving or being circulated in an environment using a plain text protocol. Another example, organizations can use it for internal investigations or even to determine how widespread malicious emails have propagated within an environment,” Bullock said by email.
The code for MailSniper is available on GitHub, and Bullock warned that it is still under development and is in beta right now. He said he focused on Exchange because of its dominance in corporate environments, but would like to look at other email systems for future MailSniper versions, too.
“The core idea of searching email on other services besides Exchange would completely rely on how those services are built. Exchange Web Services made it fairly straightforward for me to gather mails and search them. I focused on Exchange due to how widespread it is but would definitely like to look at writing in the ability to do this on other services,” Bullock said.