Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Mailsploit: Popular Email Apps Allow Spoofing, Code Injection

Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.

Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.

The attack method, dubbed Mailsploit, was discovered by Sabri Haddouche, a pentester and bug bounty hunter whose day job is at secure messaging firm Wire.

The researcher found that an attacker can easily spoof the sender’s address in an email, and even bypass spam filters and the DMARC protection mechanism. More than 30 email apps are impacted, including Apple Mail, Mozilla Thunderbird, Outlook and other applications from Microsoft, Yahoo Mail, Hushmail, and ProtonMail.

All affected vendors were notified in the past months. Yahoo, ProtonMail and Hushmail have already released patches, while others are still working on a fix. Some organizations, such as Mozilla and Opera, said they don’t plan on addressing this issue, and others have not informed Haddouche on whether or not fixes will be rolled out.

Mailsploit attacks are possible due to the way non-ASCII characters are encoded in email headers. These headers are required to contain only ASCII characters, but RFC-1342, published in 1992, provides a way to encode non-ASCII characters so that mail transfer agents (MTAs) can process the email.

Haddouche discovered that many email providers, including clients and web-based apps, fail to properly sanitize the decoded string, which leaves room for abuse.

For example, take the following string in the From parameter of the header:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS[email protected]

When decoded by Apple’s Mail application, it becomes:

From: [email protected]([email protected])

However, iOS discards everything after the null byte, and macOS displays only the first valid email address it detects, which leads to recipients seeing the sender as “[email protected]

The Mailsploit attack can be dangerous not only because of how the email address can be spoofed. Using this method also bypasses DMARC, a standard that aims to prevent spoofing by allowing senders and recipients to share information about the email they send to each other.

“The server still validates properly the DKIM signature of the original domain and not the spoofed one,” the researcher explained. “While MTAs not only don’t detect and block these spoofed email addresses, they will happily relay those emails as long as the original email seems trustworthy enough (the attacker can therefore ironically profit from setting up DMARC on that email address). This makes these spoofed emails virtually unstoppable at this point in time.”

In some cases, attackers can also execute arbitrary JavaScript code. This is possible by encoding the code they want to execute in the From parameter of the header. The code will get executed either when the malicious email is opened or when certain actions are performed (e.g. creating a new rule, replying to an email), depending on the application.

Related: DMARC Adoption Low in Fortune 500, FTSE 100 Companies

Related: Thirty Percent of CEO Email Accounts Exposed in Breaches

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.