Andi Ahmeti
Threat Researcher
Permiso Security
Andi Ahmeti is a Threat Researcher at Permiso Security’s P0 Labs with 3 years in offensive security and threat hunting. He focuses on hunting threats in product telemetry and building tools for cloud data analysis. He authored Inboxfuscation, CloudGrappler and co-authored the Cloud Console Cartographer, and has spoken at global conferences including Black Hat Asia, Europe, MEA, DeepSec,FIRSTCON24, x33fcon, BSides Prishtina, NYC. He holds a B.Sc. in Computer Engineering from the University of Prishtina (2023).
Speaker sessions
Inboxfuscation: Out-of-the-Box Mailbox Obfuscation – Turning BEC into Business Email Chaos
Email remains vital in most organizations, from user logins to daily communications. Business Email Compromise (BEC) continues to threaten operations as attackers disrupt workflows, perform reconnaissance, or leverage access to target additional organizations.In-the-wild BECs often rely on creating or modifying inbox rules to alter email flow or hide alerts (e.g., bounce-backs from spam runs, MFA enrollment notifications). This research shares real-world examples of these TTPs before exploring multiple categories of previously unseen obfuscation techniques targeting Exchange mailboxes and administration tools.We begin with undocumented functional tricks such as null-character inbox rule names and single-space conditions that filter mail unexpectedly while breaking rule name-ID correlations in runtime logs used for detection. We then examine syntactical obfuscation, highlighting problematic characters (nulls, backspaces, carriage returns, RTL, zero-width spaces) and introducing new character classes with unique evasive qualities.While many homoglyph attacks use look-alike characters, we uncovered undocumented normalizations that transform bizarre Unicode-laden keywords into ASCII counterparts while still logging as Unicode. Beyond visual and logging mismatches, we present functionality-breaking techniques that render Exchange UI and CLI tools ineffective. We conclude with a vulnerability enabling email deletion while bypassing all logging.From subscripts to symbols, come and exchange (ha!) everything you thought you knew about BEC attacks and experience the depths of evasion our Inboxfuscation research and open-source tool reveal to both offensive and defensive professionals.
- 18:00
- Wed
- 03 Dec
Stage:
Briefings 1
Sessions Type:
Presentation