Otdfbt

If I receive an email that has an attachment called something like safe-link.html would it ever be safe to open this file?

Clearly, HTML files may have malicious scripts embedded that could run when opened with a browser. However, I'm wondering if any breaches could occur upon downloading the file and then opening it in Notepad / other basic text editor rather than a web browser?

Background

I'm only asking because the company I work for like to send out 'test' phishing emails from time to time, and the latest had an HTML attachment. I suspected the email immediately (so didn't click to open the attachment in a browser), but I was intrigued to see if it actually was another test!

So I opened the file with Notepad and saw the first few lines "If this wasn't just a test, your computer would be compromised!". After informing colleagues that it was another test, they were extremely concerned that I had interacted with the file at all.

I'm reasonably confident that any malicious script would have to be opened in a web browser for it to have any effect.

Are my colleagues being too cautious, or was I being overzealous?

I'm an advocate of "better safe than sorry", so I don't think they were wrong not to open it; I just also don't believe it was completely unsafe to open with something like Notepad. I am very intrigued to find out!

"Gotchas" I'm aware of:

I believe editing it in a more complex website development tool (that actually renders the page in a preview) could be dangerous.

Also, I'm aware that simply double clicking the file (even if the default "open with" is set to be a text editor) could be dangerous. This is because something like readme.txt could actually be readme.txt.exe with file extensions hidden in something like Windows File Explorer.

Editors, and common libraries used by editors, may have vulnerabilities like buffer overflows. Your attacker would need to know (or guess) what editor you use and craft an exploit specifically for that editor (different editors are unlikely to have the same vulnerabilities unless the vulnerability resides in a library they have in common). An attack may be aimed at a popular editor and send out to as many people as possible, essentially turning it into a "spray-n-pray" attack.

Attack Surface

A very simple editor like Microsoft's Notepad has a smaller attack surface than a more advanced editor (like Visual Studio Code). More code generally means more potential vulnerabilities.

Mitigations

Certain mitigation techniques like Address Space Layout Randomization (ASLR), Data Execution Prevention and having an anti-virus with an "exploit blocker" (these are generally capable of recognizing basic overflow attacks, among others) may help to render certain attacks useless.

Software Updates

All of these techniques are of course no substitute to keeping your software (ALL your software I might add) up-to-date. Keeping your software updated is the best security strategy one can have. This is sometimes overlooked or trivialized due to its lack of feedback. An anti-virus yelling at you that "You are protected!" sends out a much stronger signal than a software update that silently patches vulnerabilities in the background. I tend to compare an anti-virus program with a person sticking their fingers in the holes of a dike to prevent the water coming through. It does its best to keep the flood out but chances are it's not going to have enough fingers to fill all the holes (or miss a few altogether). Software patches fixes those holes.

Bottom Line

You can never be sure you aren't going to have a bad day by opening any type of file in any type of program. However, some programs (like editors) are much harder to attack due to their small footprint or secure design and therefore are less likely to be targeted for mass attacks (especially because an attacker is likely to assume their evil .html file is going to be opened in a browser, not in an editor).

Oh, these answers are way too sophisticated for your situation. It's highly unlikely that your IT department would be using some fancy workaround assuming they know what editor you're using, their point is not to actually mess up your systems. Notepad isn't going to be doing anything with any image or attachment, no matter what, and the text you saw certainly didn't do anything reprehensible to your system. Nor would it have been likely to, even if it had been a real attack, as editors are very personal tools and there are lots and lots of them that'd have to be covered for anything like this to have any sort of detectable effect.

Tell your coworkers to get off your back, and to be more careful themselves. Let me just point out that you dug yourself into this hole though, and achieved the opposite of what was intended... If you hadn't announced that you looked and what you saw, people who clearly don't know a thing about IT security wouldn't be harassing you and feeling superior about it. Instead, some of them would have opened the attachment and seen the message, and gotten a bit chastened themselves. So you've messed up IT's test all the way down the line, emphasizing the Dunner-Kruger effect which is no doubt the cause of sending out these tests. Stop it!

In general it's not safe because if you get a suspicious or unexpected email, whatever the attachment is, it shouldn't be opened. That's the safest thing to do. Especially if you are on Windows, which is notorious for executing stuff when it should not, and which is the most targeted OS by attackers, running the most targeted applications.

But if you want to open it anyway, maybe because you are an INFOSEC enthusiast or you think you are (or want to be) smarter than the average user, here's some advice:

• Consider reading the source code of the email, instead of opening it. You might be able to do so directly from the webmail interface, or by reading the text files on your server, etc.


• Consider downloading the attachment from the source, by copying and pasting its base64 representation. This will just be simple ASCII text. You can then convert it back to binary with some tools.


• Consider renaming the file, saving it as potentially-malicious.txt instead of .html or whatever name and extension it has.


• Consider opening the txt file with very basic text editors, or even hex-editors, or even with very simple basic tools available on the command line that will only display ASCII characters. An example could be cat file.txt | less on Linux. (Note: why cat before less? Because I noticed that less parses and converts some stuff by default sometimes, like converting PDFs to TXTs. So just be careful, better check what the commands do by default on your system anyway).


• Consider opening the file in virtual machine, which should be up-to-date and also disconnected from the network.


• Consider doing most of this at home and never tell your boss or your colleagues about it. They might see it as dangerous behavior, a violation of the security policy, or something that might cause you trouble anyway.

Its situations like this, where risk for particular objects is an unknown quantity, that a strongly compartmentalized OS like Qubes excels. Qubes uses a hardened bare-metal hypervisor to keep risky stuff isolated from sensitive areas (like personal files and the core OS). It even isolates risky devices. This isolation is expressed and controlled through the GUI in a fairly user-friendly fashion:

In the above example, right-clicking on an html file in KDE Dolphin lets you choose options like "Edit In DisposableVM" and "View In DisposableVM". Clicking on either one of these will automatically instantiate a disposable virtual machine (dispvm), then send the file to the dispvm and load it in the associated app. This takes only seconds. When you're done with the editing app, the edited version will be returned to the calling VM and the dispvm will be instantly destroyed. Note, however, this process by itself does not make an untrusted file into a trusted file.

For certain file types (currently images and pdfs) there is also a menu option for converting a file to a trusted state... i.e. a dispvm is used to process an untrusted pdf and construct a sanitized version that is loaded back and can be used without risk to your regular VMs where you normally work. This is possible because the originating sanitizing tool accepts only the most predictable representation of the requested data back from the dispvm, such as uncompressed bitmaps of exactly an expected number of pixels and bytes; once the raw sanitized version is received back, it is then re-compressed into the expected format.

Its worth noting that you could emulate the type of security described above using more familiar tools like VirtualBox and VMware, but the degree and quality of the isolation is unlikely to match the levels attained by a dedicated system like Qubes.

Okay, so, technically, you're never 100% safe. Yes, there could be attempted attacks on your text editor/ASCII viewer. Yes, someone could have somehow magically snuck a DLL into your temporary directory in order to mess with MS Notepad delay loading.

But in practice, when you receive an HTML file in a phishing email, it's going to contain some malicious JavaScript or more likely redirect you to a website online that tries to persuade you to hand over your credit card details / logins.

So, in practice, examining such a file in Notepad++ is a perfectly reasonable way to see what's been sent to you. The reaction of your colleagues seems unfair, unless you are working in a nuclear silo … and if your job is really that mission/safety critical, why are there emails at all? Why would there be internet access? And, if there isn't, why would you need phishing audits/tests/honeypots? Someone somewhere is being overly paranoid.

We can try to reduce our risk to zero but the only way to achieve that is to not use a computer.

All that being said, though, you will always have to deal with silly people so perhaps keep this activity to yourself next time. ;)