Hello Experts,
I'm looking for a tool or process to send various "pretend" malicious emails and see if they are successfully delivered to the user's mailbox. The goal is to test various "avenues" rather then just phishing. Can you please recomend anything?

I read CheckMe—Instant Security Check sk115236, and it contains a few CheckMe tools, but there is nothing specific for mail. I want something instant (rather than a 14-day HEC trial), not requiring integration with the tenant via API, etc.

Regards,
Serg


Example test scenarios i would like to to see tested:

1. Spoofed envelope sender – Spoofing - Email spoofing is the creation of email messages with a forged sender address. Hackers use this technique to launch a phishing attack on as many employees as possible.
2. HTML analysis – Content - This email tests the ability of your Email Security Solution to detect threats in the message content. Some HTML tags are considered to be potentially dangerous to the extent that they can install malware.
3. Executable file – Attachment - Most email providers don’t allow you to send executable or “.exe” files. Most executable files are legitimate. However, some executable files are malicious and used to spread malware. Attached you’ll find a widely well-known executable file, absolutely harmless, named putty.exe.
4. Virus attachment – Content - This is a well-known code, known by all antivirus as EICAR, which is used for the purpose of testing that the antivirus is functional and reacting to signature-based virus.
5. Outlook Conditional Comment – Content - This email tests the ability of your email security solution to detect threats in the message content. Microsoft Outlook for Windows uses HTML comments as the conditional rendering engine. That means an attacker could exploit this feature by storing, for example, bad links in comments that are usually ignored by other email clients, targeting Microsoft Windows clients.
6. Malware URI – Link - This email tests the ability of your Email Security Gateway to detect hidden malware URI’s in realtime, so that 0-day and 0-hour threats can be blocked as soon as they are detected.
7. Zero Width Spaces link – Link - The zero width space (ZWSPs) is an Unicode character. It’s white space but renders with zero width. So you don’t see it. This email tests the ability of your Email Security Gateway to detect zero width spaces (ZWSPs) used in links to bypass security features.
8. Base HTML Tag link – Link - This email tests the ability of your Email Security Gateway to detect a vulnerability known as baseStriker that allows miscreants to send malicious emails that bypass security systems.
9. HTML JS Redirect Attachment – Attachment - Recently in the wild .HTML file attachments have been used to deliver malcode (usually via embedded Javascript) to endpoints. That’s why your Email Security Gateway should look at this trick and protect you by removing or disarming the .HTML attachment.
10. RFC-Abused HTML Attachment – Attachment - A Request for Comments (RFC) is a formal document from the Internet Engineering Task Force (IETF) that are considered Internet standards. If your email script’s coding is not RFC compliant, a mail servers should reject the email.
11. Active PDF – Attachment - Adobe PDF Reader (and possibly other readers) contains a Javascript engine similar to the ones used by web browsers. This means that PDF documents are not purely static, and for example some actions may be used to fool a user (popups) or to send emails and HTTP requests automatically. Furthermore, experience shows that many recent vulnerabilities have been exploited using Javascript in PDF.
12. PDF with malicious text link – Attachment - PDF files can contain text, images and links. Or what we call a text link, that is normal text pointing to a website. Adobe Reader (and possibly other readers) with the goal of making the life easier to users, automatically detects such text links making them active so you can just click on the link.
13. PDF with malicious link – Attachment - Spammers increasingly use a PDF’s ability to embed hyperlinks into documents so that recipients of malicious PDFs open malicious Web sites.
14. ZIP Archive with JS – Attachment - Cybercriminals will employ new and even older techniques to compromise users and enterprises for profit. JavaScript malware in malspam campaigns are not new, but remain dangerous for users because it may no longer require executables nor further interactions with the user to be launched.
15. Email with malicious QR Code – Phishing - QR code phishing or quishing is a type of phishing attack that uses QR codes to lure victims into revealing sensitive information. This email embeds a QR Code that should be blocked by your Email Security solution.
16. Business Email Compromise – Spoofing - Business Email Compromise (or Whaling) fraud is a phishing attack where the sender impersonates an executive (often the CEO), and they attempt to trick the victim into transferring funds or sensitive information.
17. MS Excel Document with formula macro function – Attachment - Macro-formulas allow writing code by entering statements directly into cells, just like normal formulas. The macro-formulas that allow executing malicious code are named EXEC, RUN and CALL. Also indirect formula generation is possible through the FORMULA.FILL statement, which creates a formula by gathering data from lots of different cells and making some transformations.
18. Malware URI after PGP signature – Link - This email tests the ability of your Email Security Gateway to detect hidden malware URI’s written after PGP message signature.