A Reasonable Secure Environment for Reading Potentially Harmful Emails

Consider following situation: you are responsible for important things within your company. One of those responsibilities is that you are the one that gets job applications or emails from potential business partners. Of course, your company is using the most dangerous IT environment there is: MS Windows, Exchange/Outlook, MS Office, Adobe Acrobat Reader, IE with flash.

You have basically all important attack vectors against you. It is just a matter of time that you are going to open an infected email or infected attachment. Without noticing, your computer gets turned into a gateway for the bad guys. The whole network gets infiltrated using your computer. A competitor is able to get the source code of your latest product, all financial documents got leaked. Or you infect the whole company with ransomware. Not funny. Welcome to a thing called spear phishing.

According to many statistics from independent sources, this happens more often than we think. Even when a company notices an attack - which they hardly do - most attacks do not get reported anywhere.

And yes, it is that easy to hi-jack a computer using Outlook, IE, Flash, Word, and so on.

Since not everybody is able to choose their environment and switch over to a secure operating system that allows safe opening of malware-infected documents, you have to look for a workaround.

I have tested a method using free and open source tools which can be set-up by any IT savvy person within an hour or so.

The basic idea is to use a VirtualBox container (VM) with a minimal GNU/Linux operating system. In this VM, a hardened web browser is accessing the Outlook on the web, previously known as Outlook Web Access (OWA). For opening attachments, a hardened PDF viewer and Office package is used.

The user gets a shortcut link to the VM on his/her desktop. After starting the link, a new window appears, the user logs into the web-based Outlook using his/her credentials (not using the insecure password storage of the browser). Any email can be opened and read. Attachments can be opened in the hardened applications. To be on the safe side, you can even configure the VM that way that nothing gets persisted on its virtual hard disk. This way, the VM always starts in the same status and no malware is able to persist itself in the system.

Here is a brief list of tasks I did which you can follow:

• Install VirtualBox on your Windows machine
• Download a Debian ISO
• Install the Debian on a new VM
  • Sufficient are 5GB of maximum virtual hard disk space and 1.5GB of RAM
  • Network is accessed via NAT (default)
  • I chose xfce as desktop environment
    • It is small, fast, easy to adapt/simplify
  • Setup the root account
  • Setup a user account
  • Install latest updates
  • Create a cronjob which updates the VM automatically via apt update && apt upgrade each noon on Monday to Friday
• Install following Debian packages:
  • sudo apt install xfce4-whiskermenu-plugin firejail firefox libreoffice okular

• Switch from the default xfce menu to the xfce4-whiskermenu-plugin
• Remove the default menu so that the whisker menu is the only menu left
• Remove all favorite links in the whisker menu so that only the web browser and the file manager are left
• Remove the second xfce panel on the bottom
• Change the height of the panel to a smaller one in order to maximize screen estate for the browser. I won't hide it because it might irritate users.
• Remove the desktop switcher from the panel
• Move the panel to the bottom to make it as convenient as possible for Windows users:
  1. panel preferences: unlock
  2. close preferences
  3. move panel using the handle of the outer left hand side
  4. panel preferences: lock panel
• Enable auto-login for the user you have created
• Put firefox in the auto-start of xfce

• Firejail is a sandbox tool that lets you limit resources for programs
• Follow the installation procedure
• We are going to use it to limit resources of the Firefox browser and disable network for PDF viewer (Okular) and office tools (LibreOffice)
• Copy the default firejail configs for Okular and LibreOffice from /etc/firejail to ~user/.firejail/ and add network no at the end

• Configure firefox to use Okular for PDF files and LibreOffice for office files without asking the user again
• Set the OWA URL as the start page

• Install the Office 2013 icon set to smoothen the look and feel for MS Office users

• Create a snapshot with a decent description so that you can switch back to the starting status

• Add a link to the VM on desktop

  • Context menu of the VM in the VirtualBox Manager

When the windows user starts the link on his/her desktop, the VM opens up with the OWA log-in screen. After logging in, emails can be read and attachments are opened in an offline sandbox.

You now have to instruct the user how to switch back the mouse to Windows (using the right Ctrl key) and to properly shut down the VM.

Enjoy.

To be clear about it: this method is no silver bullet. Yes, you may infect your (GNU/Linux) environment but it is much harder to do. If you transfer malicious files from this VM to your Windows machine or still open (or preview) malicious emails in Outlook, you can get hacked.

For many threats, this VM encapsulation with offline PDF reader and office tools offers a viable method to stay sane.