Xenos is a proof-of-concept python script that has the ability to replace links, images, and names of an html file. It's purpose is to exploit email invitations by directly copying them and changing them for the users purpose. As of right now, it is tested and working on a typical LinkedIn connection email, though, could theoretically work on any (slightly modified) email.

The idea for this came one day when I glanced over at my email and questioned the legitmacy of this connection I was given. "What are the chances that this is fake?" It was from LinkedIn, but it got me thinking: "How easy is it to clone this?" Not hard at all it turns out. I opened up Inspect Element in my browser and copied the html of the email. I then wrote this script to make it into a theoretical spear-phishing email. If this were to be used maliciously, we would have some real problems. People click on unformatted emails; all they need for extra convincing is their name, face, and the LinkedIn logo. This is an issue that should be solved by email providers as well as social media sites, as a tool like this could wreak havoc on any user it touches.

To use xenos, all you need is python3 installed. You run it simply with python3 xenos.py. This will then prompt the user to enter certain details, such as the template file, the sender's name, the sender's profile picture, the target's name, the target's profile picture, and the target's job. This will ask sequentially. For the images, it is best to include a URL to an image, as pointing towards local files will not continue over into an email sent.

From here, we'll be given an output file named email.html. If you open that in your browser, you will see what your email will look like. Here, all you need to do is carefully copy MOST of the content and then paste it into the email. There is a small bug where if you copy a little too much it will create undeletable whitespace in the email. And that's it! Send away!

This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.