Identity threat detection and response startup Permiso Security Inc. today released a new open-source tool designed to help enterprises detect and mitigate a new class of obfuscation attacks that exploit Microsoft Exchange inbox rules.

The new tool seeks to deal with what research from Permisso dubs “Inboxfuscation.” It’s a Unicode-based evasion technique that can create malicious rules invisible to traditional monitoring systems, potentially allowing attackers to establish persistence and exfiltrate sensitive communications undetected.

Historically, malicious inbox rules have been relatively simple for defenders to flag, often relying on obvious keywords such as “password” or “admin.” Security teams could spot these through keyword detection or regex matching, but with Inboxfuscation, attackers can craft rules with visually identical characters that evade existing defenses.

Techniques include mathematical alphanumeric substitutions, zero-width characters, bidirectional text controls and enclosed alphanumerics, all of which can render malicious rules nearly indistinguishable from legitimate ones.

Permiso warns that though it has not yet observed these techniques in active campaigns, their feasibility represents a looming blind spot for defenders.

The company’s research outlines several hypothetical scenarios where attackers could leverage Inboxfuscation, from long-term advanced persistent threat operations exfiltrating executive emails to insider threats monitoring human resource communications or deleting security alerts to hide intrusions. In each case, traditional tools would struggle to recognize the obfuscated rules.

To address the potential risk, Permiso has developed a detection tool capable of analyzing suspicious Unicode categories, parsing multiple log formats and recognizing behavioral patterns across Exchange environments.

The new tool integrates with existing security information and event management systems to provide structured outputs with risk scores, mailbox details and suspicious fields. Permiso has made the project freely available on GitHub and is encouraging security teams to test their detection capabilities, build Unicode-aware monitoring systems and conduct proactive threat hunting.

“The Inboxfuscation research demonstrates a significant vulnerability in current email security architectures,” Permiso wrote in a blog post. “While these techniques have not yet been observed in active threat campaigns, the technical feasibility and detection challenges suggest they represent a future threat vector that security teams should prepare for today. By developing proactive detection capabilities and understanding the technical mechanisms of Unicode obfuscation, organizations can stay ahead of potential attackers who may discover and weaponize these techniques.”

Image: SiliconANGLE/Sora