Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors

Jiahe Zhang, Jianjun Chen, Qi Wang (Eki), Hangyu Zhang, Chuhan Wang, Jianwei Zhuge, Haixin Duan
May, 2024
PDF Cite DOI Blackhat ASIA 2025

Abstract

Email attachments have become a favored delivery vector for malware campaigns. In response, email attachment detectors are widely deployed to safeguard email security. However, an emerging threat arises when adversaries exploit parsing discrepancies between email detectors and clients to evade detection. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods. In this paper, we perform the first systematic evaluation of email attachment detection against parsing ambiguity vulnerabilities. We propose a novel testing methodology, MIMEminer, to systematically discover evasion vulnerabilities in email systems. We evaluated our methodology against 16 content detectors of popular email services like Gmail and iCloud, and 7 popular email clients like Outlook and Thunderbird. In total, we discovered 19 new evasion methods affecting all tested email services and clients. We further analyzed these vulnerabilities and identified three primary categories of malware evasions. We have responsibly reported those identified vulnerabilities to the affected providers to help with the remediation of such vulnerabilities and received acknowledgments from Google Gmail, Apple iCloud, Coremail, Tencent, Amavis and Perl MIME-tools.

Type
Conference paper
Publication
31th ACM Conference on Computer and Communications Security
Protocol-Security SMTP
Qi Wang (Eki)
Qi Wang (Eki)
PhD Student of Cybersecurity

My research interests include web security, protocol security, and automated vulnerability mining techniques .