Last active
November 2, 2017 11:38
-
-
Save CERT-W/e9d4a3c9788f7bc2a0fb7200d5201cae to your computer and use it in GitHub Desktop.
PowerShell script to search for plaintext encrypted mails (CVE-2017-11776) - must be run while Outlook is running
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# DOES NOT WORK IN CONSTRAINED LANGUAGE MODE #> | |
| Function Find-Recurse { | |
| Param( | |
| [parameter(Mandatory=$true)] | |
| $Folder, | |
| $Level=0 | |
| ) | |
| $Indent = "`t"*$Level | |
| Write-Host "[-]$Indent Entering '$($Folder.Name)'" | |
| $Folder.Folders | ForEach-Object { | |
| Find-Recurse -Folder $_ -Level $($Level+1) | |
| } | |
| $Folder.Items | | |
| ForEach-Object { | |
| If ($_.MessageClass -eq "IPM.Note.SMIME" -And $_.SentOn.Year -eq 2017 -And $_.BodyFormat -eq 1) { | |
| Write-Host "[-]$Indent Found '$($_.Subject)' sent by '$($_.SenderName)' to '$($_.To)' on '$($_.ReceivedTime)'" | |
| } | |
| } | |
| } | |
| Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null | |
| $olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type] | |
| $outlook = new-object -comobject outlook.application | |
| $namespace = $outlook.GetNameSpace("MAPI") | |
| $namespace.Folders | % { $_.Folders | % {Find-Recurse -Folder $_ -Level 1}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment