Inboxfuscation: 𝓞ut-of-the-Box Mailbox 𝓞bf{\u}scation – Turning BEC into Business Email Chaos

Email remains vital in most organizations, from user logins to daily business communications. Business Email Compromise (BEC) continues to threaten companies’ operations as attackers disrupt communications, perform reconnaissance, or leverage this foothold as a springboard for targeting additional organizations.

This research shares examples of common TTPs from first-hand attacks before exploring multiple categories of never-before-seen obfuscation techniques targeting Exchange mailboxes and their administration tools. These obfuscation categories begin with numerous undocumented functional tricks like null-character inbox rule names and single-space conditions that perform unexpected filtering while simultaneously breaking rule name-ID correlations in runtime logs relied upon for detections. We then explore a larger genre of syntactical obfuscation, highlighting problematic characters (null character, backspace, carriage return, RTL, zero-width space) while introducing many new classes of characters with differing evasive qualities.

While many homoglyph attacks rely on look-alike characters to evade visual analysis, we uncovered undocumented normalizations that transform visually bizarre, Unicode-laden keywords to ASCII counterparts while still logging as Unicode. Beyond visual and logging-mismatch evasions, we discovered functionality-breaking techniques that render Exchange UI and CLI tools ineffective for administrative and investigative purposes. We end with a vulnerability allowing email deletion while entirely bypassing all logging.

From subscripts to symbols, come and **exchange** (ha!) everything you thought you’d seen about BEC attacks and experience the depths of evasion that our Inboxfuscation research and open-source tool can provide to offensive- and defensive-minded security professionals alike.