Permiso Uncovers Unicode Technique to Compromise Microsoft Exchange Rules

Permiso today revealed it has discovered a Unicode-based obfuscation technique, dubbed Inboxfuscation, that allows cybercriminals to gain access to Microsoft Exchange inbox rules in a way that could be used to, for example, access emails and exfiltrate data.

Additionally, the company is making available an open source Inboxfuscation framework that provides security teams with an ability to both discover these types of threats and test their current ability to detect the usage of Unicode characters in Microsoft Exchange rules.

Andi Ahmeti, a threat researcher for Permiso, said that while the company has not discovered any instances of this technique being used, inbox rules are a favorite attack vector for cybercriminals.

Unicode is a character encoding standard maintained by the Unicode Consortium that currently defines 159,801 characters and 172 scripts. After cybercriminals gain access to a Microsoft Exchange environment, they can insert a search to generate rules that will not trigger an alert, for example, by inserting a Unicode character into the word “finanće.”

According to Permiso, Microsoft Exchange will then surface results for the word “finance” without recording in any log file the use of the word “finanće” rather than “finance.” While traditional keyword evasion techniques are fairly common, the use of Unicode characters adds another dimension that makes these types of attacks more difficult to detect, says Ahmeti.

Permiso is in the process of sharing its research with Microsoft, but in the meantime, cybersecurity teams would be well advised to start looking for inbox rules that have been created using Unicode characters now that this research has been published. There is no way of knowing if cybercriminals are already using this technique, but, as always, when it comes to cybersecurity, if it can be imagined, that means someone has already tried it.

Unfortunately, gaining initial access to Microsoft Exchange environments using stolen credentials is far too easy for cybercriminals. It then falls to cybersecurity teams to monitor email environments in the hope of discovering anomalous activity that would be indicative of a compromise. It might be weeks, or even months, before some of that malicious activity is uncovered, so the potential havoc that can be wreaked by cybercriminals once they gain access to an email system is substantial, especially if they configure inbox rules to forward copies of certain types of email to an external address.

It’s not clear how many instances of Microsoft Exchange are being used, but the number of inboxes that might be vulnerable to these types of attacks easily numbers in the millions. The issue is that many of the attacks aimed at those inboxes are designed to be subtle enough to evade existing detection capabilities. Hopefully, with the rise of artificial intelligence (AI), those detection capabilities will considerably improve in the months and years ahead. Until then, protecting email inboxes will continue to require a level of diligence that is often challenging for most cybersecurity teams to both attain and maintain.