Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors

Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors

MediaVideo
Yanac

Email attachments have become a favored delivery vector for malware campaigns. In response, email attachment detectors are widely deployed to safeguard email security. However, an emerging threat arises when adversaries exploit parsing discrepancies between email detectors and clients to evade detection. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods.

In this session, we perform the first systematic evaluation of email attachment detection against parsing ambiguity vulnerabilities. We propose a novel testing methodology, MIMEminer, to systematically discover evasion vulnerabilities in email systems. We evaluated our methodology against 16 content detectors of popular email services like Gmail and iCloud, and 7 popular email clients like Outlook and Thunderbird. In total, we discovered 19 new evasion methods affecting all tested email services and clients. We further analyzed these vulnerabilities and identified three primary categories of malware evasions. We have responsibly reported those identified vulnerabilities to the affected providers to help with the remediation of such vulnerabilities and received acknowledgments from Google Gmail, Apple iCloud, Coremail, Tencent, Amavis and Perl MIME-tools.

By:
Jiahe Zhang | PhD Student, Tsinghua University
Jianjun Chen | Associate Professor, Tsinghua University
Qi Wang | Ph.D. Student, Network and Information Security Lab (NISL), Tsinghua University.
Hangyu Zhang | Ph.D. Student, Network and Information Security Lab (NISL), Tsinghua University
Shengqiang Li | Undergraduate Student, Tsinghua University
Chuhan Wang | Ph.D., Network and Information Security Lab (NISL), Tsinghua University
Jianwei Zhuge | Associate Researcher, Network and Information Security Lab (NISL), Tsinghua University
Haixin Duan | Professor, Network and Information Security Lab (NISL), Tsinghua University

Full Abstract and Presentation Materials:
https://www.blackhat.com/asia-25/briefings/schedule/#inbox-invasion-exploiting-mime-ambiguities-to-evade-email-attachment-detectors-43972Black HatRead More