Attachment Tracking

Any template variables placed inside these documents will be converted to the appropriate values when a campaign is launched. Adding tracking images to Office documents can allow notification that a document has been opened or that macros have been enabled.

If you just want to get up and running, using the above templates is probably for you. Keep reading below if you’re interested how these examples were created (specifically the Office documents which are more involved).

Below is a .txt file with several variables:

As can be seen this is not immediately useful, but perhaps there are some scenarios where templating a plain text file is useful. Below is a portion of of an .ics calendar invitation file:

invite.ics

Office Document Examples

We can add the {{.TrackingURL}} variable to an Office document as a “linked image”. When the document is opened Word/Excel/PowerPoint will try load the image, thereby reaching out to the gophish server and marking the document as opened (ensure the Tracking URL is not included in the Email, as at this stage there is only one endpoint to indicated ‘Opened’). The following steps can be used to achieve this:

Create a new Document
Select the Insert tab and then click Quick Parts and then Field

Scroll down on the left and select . In the Filename or URL input box enter {{.TrackingURL}} and tick the Data not stored with document box on the right (alternatively, in the Word Document press Alt+F9 to toggle Field Codes and paste in INCLUDEPICTURE "{{.TrackingURL}}" \d):

The image below depicts the template Word file on the left, and the result after passing through gophish as a campaign attachment and being opened by a target user on the right.

Tracking Office document Macro execution

To track if macros have been enabled by a user we need macro code that reaches out to a gophish Template Variable (e.g. {{.TrackerURL}}) or hits a gophish endpoint (e.g. {{.URL}}). Focusing on the latter option, we would want the macro code to reach out to, for example, https://myphishingserver.com/?rid=aBC12345. There are many different ways to handle this, but simply inserting some gophish variables into the macro code doesn’t work, as it’s non-trivial to programatically edit macro code (it’s packaged up in a binary format). The solution we came up with was to insert a text box in the document with the variables, and reference that text box from the macro code. The steps involved are:

Create a new Document
Create a textbox with contents {{.URL}}
Windows: Home > Editing > Select > Selection Pane

Mac: Shape Format > Arrange > Selection Pane

or for Excel:

Save and Exit

When the document is opened the user will be prompted to enable macros. If they do, the {{.URL}} will be opened. This allows the user to be presented with a page informing them that they have fallen victim to a phishing campaign.

(Note: In the future it’d be neater to use the method, but this is a HEAD request which requires some modification of the gophish Link Clicked code)