Secure way of sending an email attachment in a user-friendly manner

In the last months I very often was in a position where I needed to send an email attachments with sensitive content to someone whom I didn’t know well personally (so that I could talk to them how set up encryption), but about whom I knew that they had little IT background and barely knew how to operate a mail client. I’m not an expert myself, but I do know there is such a thing called PGP and with some time&pain I can get it to work.

(Imagine the receiver to be a non-tech person from a big company who little no time to deal with encryption and me being an non-IT engineer, who is technically minded, but does not have deeper IT/infosec knowledge and wants to protect his privacy as much as is possible.)

Because it is not clear to me that the email that I send will be send via TLS between server (and it is also not clear to me why I should trust those intermediate servers), it seems a very bad idea to a pdf with send sensitive content as a standard mail attachment.
Out of desperation I have resorted to uploading the pdf on a file sharing platform (which we shall assume to be trusted, so that my data is safe there). Then I send the download link to that file via (unencrypted) mail. The link has an expiration date and is password-protected and I’m sending the password along the link; this may seem stupid at the first glance, but please read along.

In this way the receiver of the email can still easily access the file without further IT knowledge on his side, but my privacy is slightly enhanced: Whiile I know that if someone would be after me and is intercepting my mail, it would still be very easy for him to get his hands on my pdf, if he is fast enough to download it before the link expires (which is usually a few days). But my threat model is not about protecting against that type of attack, but rather about protecting myself against automatic data collection & hoarding (think, e.g., government authorities snooping on subway cables).
I would assume, since getting the pdf involves some human action, such as filling in a password, that even if my data is collected, it will take too long until a human looks at at and by that time the link will have expired.

My question is:

  • Is this a good solution for my very moderate threat model described above? My file sharing platform doesn’t use Captchas when one introduces a password to download a file. I assume that, if they would, that I would be 100% secure against such automated data collection, since even if such software would also automatically extract the password from the mail (which I doubt would happen, because if you hoard millions of mails that have passwords in them, you would need a very large amount of computational power to run automated NLP algorithms on them, to get the correct string that is the password, perhaps more than is available), it could not go past a Captcha?

  • Do you know any other way to securely send the email attachment (including any improvements to my solution above), so that the receive can still download it with minimal IT knowledge and time investment?

(Note that there was another question here regarding sending of links in mails, but my use case is different and more specific.)

How is it possible that a gallery doesn’t have attachment ids?

I have a function that looks at the attachment IDs from a normal gallery (let’s ignore Gutenberg galleries for now, they have a different structure altogether):

\get_post_gallery( 0, False );, this should give me an array that has the key ids containing all attachment IDs.

Now, if we are to import the following .xml file, the theme unit test data, we see that 2 posts are created, namely “Post Format: Gallery” and “Post Format: Gallery (Tiled)”, now, visually, they look the same in terms of what you think they’d do:

First gallery.

Second gallery

However, “Post Format: Gallery (Tiled)” is a Jetpack gallery (taken from the post’s code):

and “Post Format: Gallery” is a normal gallery:

I rely on the ids key being there for my function to work. What option am I missing here? It seems there is a way to create a gallery without having IDs provided.

As a side note, whenever I create a non-Gutenberg gallery, it actually works, the output I’m given for get_post_gallery is:

array(4) { ["link"]=> string(4) "none" ["size"]=> string(6) "medium" ["ids"]=> string(8) "33,32,31" ["src"]=> array(3) { [0]=> string(68) "http://127.0.0.1/wordpress/wp-content/uploads/2020/04/5--300x200.jpg" [1]=> string(68) "http://127.0.0.1/wordpress/wp-content/uploads/2020/04/7--300x200.jpg" [2]=> string(68) "http://127.0.0.1/wordpress/wp-content/uploads/2020/04/6--300x200.jpg" } }

There are ids. Am I dealing with a malformed xml file here?

Phishing attempt?? – EML attachment from a “trusted source” might be urgent and important, or malware / phishing

I don’t usually feel competent enough to ask decent questions, let alone answer one here. But, this is rather urgent, so please be patient with me:

I CANNOT tell if the “secure encrypted message” I got in an email from a “state agency” was genuine or malware! I was somewhat (reluctantly) expecting an email from that department and their email signature appeared genuine. Unfortunately, they may or may not have attached that file, which purportedly contained the message body as an *.EML “secure attachment message”.

I couldn’t open the secure message attachment, which was the first clue of something amiss. (I also do NOT want to call them, and then have them read me the message, which would trigger a conversation I’m not prepared for, without first knowing what the message was about.)

As I started working hard to open the attachment. As I failed and researched more, my findings appeared more and more ominous. I will keep this question UPDATED with any missing details.
SUMMARY:

  • Received seemingly valid email from a known state agency, known person, known division I do business with.
  • Plain text message body:
    “Please find the attached.” [?? Odd wording –> “‘FIND‘ the attached” ??]
  • The [real] message was attached, encrypted, and only viewable by the email recipient that it was addressed to. The attachment then had to be opened by the email client, (Gmail-web). I’ve done this before once or twice, so it is a pain, but not unheard of.
  • Email ATTACHMENT was then “viewed in a an NEW WINDOW” in Chrome and Vivaldi with similar if not the same results: https://mail.google.com/mail/u/0/?????????????..[etc.]/: WHICH SAID:

[ERROR MESSAGE FROM GOOGLE MAIL:]
“You are viewing an attached message. COMPANY Mail can’t verify the authenticity of attached messages. Your document has been completed”

“VIEW COMPLETED DOCUMENTS:”
[LINK GOES TO: https://www.notion.so/(KNOWN_AGENCY_-_GUID)/]

“Ms. [known person]”
“[Known State Agency]”

  • After clicking on the link from the popup shown above, it opened a new TAB in my email browser’s page at this URI: https://www.notion.so/(KNOWN_AGENCY_-_GUID)/ which said the following:

“[KNOWN STATE AGENCY]”
“This PDF is password protected ,”   “[KNOWN PERSON] sent you an important vital file to review.”

“REVIEW FILE HERE:”
[LINK GOES TO: https://fafanfan.tk/000/nsw/data/UntitledNotebook1.html ] 

“Please take a look and let me know if these are ready to print.”
[ HUH?? Why let you know?? And, why print, instead of view?? ] 
“Kindly open with your professional email.”
[ HUH?? “Kindly”, “Professional email”?? Who talks like this?? ]
“Login with your email and password to view file.”

  • So, then I clicked on the email link and TRIED to log into my company GMAIL account.
  • It appeared to log into my account successfully, but then said I had to verify my account and to provide [either the] recovery phone or recovery email address
  • I provided a valid phone #, which failed with an error.
  • Then I tried my valid recovery email address, which also failed with an error.
  • I tried both Vivaldi and Chrome, and all failed each time. (I assumed that it opened a window without cookies, so the login to Google was from a new, unknown page.)

At this point, I started Googling the URI’s and other things —

  • Hmmm strange domains [TLD].TK ?? Searched the URI = NO hits.
  • Searched [TLD].TK — not good — It said 95% of the .TK traffic is malware / spam.
  • Searched the other URI shown above = NO hits. NOT cool.
  • I changed all my email PW’s. I checked for odd logins, but saw nothing odd. (If I provided my credentials to the bad guys, they are a bit slow today. So maybe I dodged a bullet.)
  • I Checked/scanned the downloaded file with Windows Defender — no detection
  • I submitted the file to Virus Total — no detection by anyone.
  • I also submitted the two URI’s shown above, and came up with only one hit from an unknown security company, who likely flagged the *.TK as possibly a “bad URI”.

At this point, I’m not at all sure what to do… I do NOT want to call them and start a conversation that might later deny “plausible deniability that I received this notice”. OTOH, I can’t ignore it too long, either.

RANT: I hate all these “protections”, that invite malware to be easily inserted. Then, you are relying on ordinary users to figure out if the attachments are safe?? Few users are smart enough, and I know that I’m not. (Although I’m not a total security idiot, as I’m more cautious and knowledgeable most than anyone I know.)
If Adobe wants to provide tools like this, fine. Then please make it much easier and obviously safe for both senders and [very novice] readers. For instance, use Adobe.com URI’s and never TLD’s that are also used for malware. If providing security tools, please don’t rely on these agencies’ IT staff to try to train equip their users to properly use these tools with the public, most of whom have never opened a “secure attachment”, let alone know how to open them (OR NOT), safely.

SharePoint 2010 Approval Work Flow Form – Link to Attachment

I have created a custom approval workflow that works as expected. However I am trying to add a link on the approval form to any attachments that were assigned during the creation of the list item.

The steps that I have taken so far: Added a workflow variable Set the workflow variable to the value of the current item attachments Added a Task Form Field of type string Set the Task Form Field value to the Value of the Work Flow variable in the Before Task is Assigned Step

There are no errors within the workflow, but when the workflow is initiated (automatic or manual), no task notifications are sent. If I removed the Set Task Form Field value, the workflow will start sending notifications again. I’m assuming it has something to do with how I am trying to build the link to the attachment within the form.

How can I get the Description textarea field to use the Visual Editor for Attachment Posts

I saw this post involving tags. But I can’t figure out which

/**  * Display advanced TinyMCE editor in taxonomy page  */ function wpse_7156_enqueue_category() { global $  pagenow, $  current_screen;  if( $  pagenow == 'edit-tags.php' ) {     require_once(ABSPATH . 'wp-admin/includes/post.php');     require_once(ABSPATH . 'wp-admin/includes/template.php');      wp_tiny_mce( false, array( 'editor_selector' => 'description', 'elements' => 'description', 'mode' => 'exact' ));    }  }  add_action( 'init', 'wpse_7156_enqueue_category' ); 

This seems to have been rendered redundant in newer versions of WordPress. But I wonder if it could be used for attachments? I just need to know the include for that attachment editing page?

read content of list item attachment in SPD workflow and convert to base64 string

I need to write a workflow that reads the content of attachment of a list item, convert it to base64 encoded string and then invoke a custom REST service.

I know I can access /_api/web/lists/getbytitle('MyList')/items(" + id + ")/AttachmentFiles and get the server relative URL of the attachment from result.

But I’m not sure how to get the contents of that file and convert it to base64 string.

Update:

I’ve found the following REST API that allows me to read the content of the attachment:

/_api/web/getfilebyserverrelativeurl('server relative URL of attachment from earlier call')/$  value 

Now the question remains that how to get this content in base64 format?

Create an item attachment from a template based on multiple item

To further explain the question better I’ll explain what I want to acomplish. So we have a person that requests parts through sharepoint by adding a new item with all the details and an automatic request form is attached to this item using Flows. Then another person takes this item and orders the said parts. Now the problem is a lot of times multiple parts need to be requested under the same order and the final request form has to have all of the parts in it instead of having a single sheet generated for each part. My question is, is there a way to create multiple items and have flows combine and generate a single attachment for all of the created items? or have sub items for a single request?