foo.txt
invite.ics
{{.TrackingURL}}
variable to an Office document as a "linked image". When the document is opened Word/Excel/PowerPoint will try load the image, thereby reaching out to the gophish server and marking the document as opened (ensure the Tracking URL is not included in the Email, as at this stage there is only one endpoint to indicated 'Opened'). The following steps can be used to achieve this:Insert
tab and then click Quick Parts
and then Field
IncludePicture
. In the Filename or URL input box enter {{.TrackingURL}}
and tick the Data not stored with document
box on the right (alternatively, in the Word Document press Alt+F9 to toggle Field Codes and paste in INCLUDEPICTURE "{{.TrackingURL}}" \d
):{{.FirstName}}
) in the body of the Word document you will need to disable grammar and spelling checking (otherwise Word inserts proofErrors in the middle of the variable names). Select File > Options > Proofing and deselect Check spelling as you type
and Mark grammar errors as you type
.{{.TrackerURL}}
) or hits a gophish endpoint (e.g. {{.URL}}
). Focusing on the latter option, we would want the macro code to reach out to, for example, https://myphishingserver.com/?rid=aBC12345. There are many different ways to handle this, but simply inserting some gophish variables into the macro code doesn't work, as it's non-trivial to programatically edit macro code (it's packaged up in a binary format). The solution we came up with was to insert a text box in the document with the variables, and reference that text box from the macro code. The steps involved are:{{.URL}}
urlbox
" by selecting the textbox and following the instructions below:{{.URL}}
will be opened. This allows the user to be presented with a page informing them that they have fallen victim to a phishing campaign.Application.Documents.CanCheckOut (URL)
method, but this is a HEAD request which requires some modification of the gophish Link Clicked code)