Malicious Exchange inbox rules hidden with ‘Inboxfuscation’ technique

Malicious Microsoft Exchange inbox rules could be hidden using a technique dubbed “Inboxfuscation,” introduced by Permiso researchers on Thursday.

The method uses Unicode characters such as mathematical alphanumeric symbols, zero-width characters, bidirectional text controls and enclosed alphanumeric characters to make injected rules appear benign to human readers or security scanners.

Inboxfuscation takes advantage of the way Exchange normalizes certain Unicode characters to their Latin alphabet counterparts, making it possible for an attacker’s rules to still work as intended despite being encoded.

For example, the string “ⓐⓓⓜⓘⓝ” would be normalized to “admin,” potentially without security tools recognizing the presence of this keyword.

Malicious Exchange inbox rules allow attackers to continuously exfiltrate and/or hide certain emails received by compromised email accounts.

For example, an attacker could create a rule that causes any emails containing the words “admin,” “password,” “confidential” or “secret” to be forwarded to the attacker’s own email address and moved to the victim’s Deleted folder to hide it from the legitimate user.

Techniques like Inboxfuscation pose a challenge to detection methods that rely on keyword-based rules to identify suspicious inbox rules.

In addition to alphanumeric Unicode symbols (ex, ⓐ, 🄰, 𝙰) attackers could also use zero width spaces to break up keywords or bidirectional text controls to obscure them, such as by adding a right-to-left override (U+202E) in the middle of the word “secret” to make it appear as “secter,” Permiso researchers explained.

Attackers could also use a combination of Unicode-based obfuscation techniques to maximize the use of these evasive measures.

Permiso’s open-source Inboxfuscation framework provides both offensive and defensive capabilities for red team/blue team exercises and security research, including detection capabilities for several Unicode categories.

Organizations should consider including rules to detect suspicious uncommon Unicode characters when scanning Microsoft Exchange inbox rules, and conduct comprehensive rule audits to remove any unusual or unexpected rules.