Strange “feature” in mail

TL; DR If in the mailbox you see the attachment for the letter in the browser, then to create a preview, a copy of the document “flies” to Microsoft IP in Redmond.

Of course, I would like the header to be clicked better, a la “ forwards all your letters to the USA!” or “Microsoft knows the contents of all attachments in your inbox!”. But let’s get to the facts and specifics. I would also like to thank O.Yu. Antsiferova (ex-Dr.PornCop from the “tube” Hacker), who was the first to pay attention to the “interesting” behavior of mail.

How did it all start?

It all started with testing our DLP system. Working out various scenarios for intercepting “clouds”, I noticed a suspicious data movement. We reproduced this situation on a regular box. Screenshot results.


Pay attention to lines 26-23. There are calls to some “other” IP. Whose will you be?


Clear. And “SkyDrive” in the “From” column hinted. And at first glance it seems that this employee himself is sending something abroad. But in the arsenal of KIB there is another module – MonitorController, which is responsible for capturing images from the monitor. The module can also be configured for continuous video recording (which we did before playing the “feature”). Next is a technical matter.

Firstly, we compared the time taken by the user and the intercepted data on the Cloud channel. The video clearly showed: a person opens the letter and clicks on the attached Word document. After that, the preview opens. In this case, the page address does not “jump”. As it was … …, it remains.

Secondly, you need to make sure that it is not some kind of “telemetry” that is being sent, but the very same document. Let’s take a look at what is passed there for xml.


“KIB” parsed the contents and for us it was obvious – this is a document from the attachment. You yourself can repeat the experiment. An appeal to IP can be seen on some proxy. With interception and picking, xml can be tricky, but feasible.

What is the problem?

In my opinion, the problem is that “But the men don’t know!”. Many government agencies, universities and other organizations have official mailboxes. And they use them as workers, sending interesting and not very information. At the same time, as you see, they can inadvertently send a copy to the States.

This post I want to warn them about the trick. Indeed, innocent employees may suffer, whom zealous, but not very meticulous security guards will hasten to blame for data dumping.

What about

Never mind. Everything is in order with them. You can look at the user agreement, in which the situation is written in a “clear and understandable” language:

4.5. Separate Company Services provide Users with the opportunity to post Materials that will be publicly available for all Internet users or for all users of a particular Company Service. Using such Services, the User understands and agrees that by uploading Materials to the Service, the User provides access to these persons by default.

4.7. The user, using the functionality of the Mail.Ru Services, agrees that some information may be transferred to Mail.Ru partners solely to ensure that Mail.Ru Company provides the appropriate Service to the User, as well as to provide the User with the right to use additional functional (software) capabilities of the corresponding Service provided jointly with these partners, and exclusively to the extent necessary for the proper provision of such Services and / or functionality, as well as in other cases in order to fulfill the terms of this Agreement.

So formally they do not violate anything.

The funny thing is that they could make a normal implementation and not drive the data back and forth. For example, if you upload the same document to their cloud on, then the preview is generated by some other service and the document does not fly abroad. In the end, it was possible to deploy this generator of previews in some domestic data center. Why not? I do not know. Maybe one of you will tell the answer in the comments.

P.S. @,, were not checked, but it seems to me that there too the “feature” is reproduced.

Similar Posts

Leave a Reply