Permiso: https://permiso.io
Read our release blog: https://permiso.io/blog/inboxfuscation-because-rules-are-meant-to-be-broken
Released At: Blue Team Con 2025 (2025-09-07)
Authors: Andi Ahmeti
Inboxfuscation is an advanced inbox rule obfuscation framework for Microsoft Exchange environments. This tool provides sophisticated Unicode-based obfuscation techniques to create stealthy inbox rules that can evade basic detection while maintaining functionality.
# Import the module
Import-Module .\Inboxfuscation.psd1
# Create obfuscated inbox rules using direct function calls
New-ObfuscatedInboxRule -Name "Security Filter" -Mailbox "user@company.com" -SubjectContainsWords "confidential","secret" -MoveToFolder ":\Archive" -ObfuscationLevel "Heavy"
# Modify existing rules with obfuscation
Set-ObfuscatedInboxRule -Identity "RuleID123" -Mailbox "admin@company.com" -SubjectOrBodyContainsWords "sensitive","classified" -DeleteMessage -ObfuscationLevel "Heavy"
# Analyze existing rules for obfuscation
Find-ObfuscatedInboxRules -Mailbox "user@company.com"
# Show comprehensive help
Show-InboxfuscationHelp
Inboxfuscation provides enhanced versions of standard Exchange cmdlets that work seamlessly with PowerShell:
# Direct obfuscation functions
New-ObfuscatedInboxRule [Conditions + Actions + Obfuscation Options]
Set-ObfuscatedInboxRule [Conditions + Actions + Obfuscation Options]
# Note: Exchange inbox rules require both conditions AND actions to be valid- Parameter Capture:
New-InboxRuleandSet-InboxRulecapture all Exchange parameters - Rule Object Creation: Creates structured rule objects with integrated obfuscation
- Intelligent Obfuscation: Automatically identifies and processes eligible condition values
- Command Generation: Produces ready-to-execute Exchange commands with Unicode obfuscation applied
- Native PowerShell Syntax: Use familiar Exchange cmdlet parameter names
- Enhanced Functions: Improved versions of
New-InboxRuleandSet-InboxRule - Intelligent Parameter Processing: Automatically identifies and processes obfuscation-eligible parameters
- Seamless Integration: Native PowerShell experience with
|operator
- Unicode Mathematical Styles: Bold, italic, script, fraktur, sans-serif variations (๐๐๐, ๐ฎ๐ฏ๐ฐ, ๐ข๐ฃ๐ค)
- Zero-Width Characters: Invisible steganographic characters (U+200B, U+200C, U+200D)
- RTL Control Characters: Right-to-left overrides and directional isolates (U+202E, U+202D, U+2067)
- Enclosed Alphanumerics: Circled, squared, and negative variants (โถโโ, ๐ฐ๐ฑ๐ฒ)
- Homoglyph Substitution: Visually similar characters from different scripts
- Surrogate Pair Support: Proper handling of extended Unicode characters
- Category-Based Analysis: Systematic detection across all obfuscation types
- Risk Scoring: Quantified threat assessment for each rule
- Character-Level Analysis: Unicode code point identification and reporting
- Console: Rich colored output with visual indicators
- JSON: Structured data for programmatic processing
- XML: Standards-compliant markup for integration
- CSV: Tabular format for spreadsheet analysis
# Simple security filter with default obfuscation
New-ObfuscatedInboxRule -Name "Threat Filter" -Mailbox "security@kosova.com" -SubjectContainsWords "malware","virus","phishing" -DeleteMessage
# Executive protection with maximum obfuscation
New-ObfuscatedInboxRule -Name "Executive Protection" -Mailbox "ceo@kosova.com" -SubjectOrBodyContainsWords "urgent","financial","board" -From "external@domain.com" -DeleteMessage -ObfuscationLevel "Maximum"
# Modify existing rule with heavy obfuscation
Set-ObfuscatedInboxRule -Identity "ExistingRule123" -Mailbox "admin@kosova.com" -SubjectOrBodyContainsWords "confidential","secret" -MoveToFolder ":\Calendar" -ObfuscationLevel "Heavy"
# Complex rule with multiple conditions
New-ObfuscatedInboxRule -Name "Multi-Condition Filter" -Mailbox "user@kosova.com" -SubjectContainsWords "invoice","payment" -From "finance@company.com" -MoveToFolder ":\Invoices"Find-ObfuscatedInboxRules supports two powerful modes:
# Quick analysis of a mailbox
Find-ObfuscatedInboxRules -Mailbox "user@kosova.com"
# Detailed analysis with step-by-step debug output
Find-ObfuscatedInboxRules -Mailbox "user@kosova.com" -DebugOutput
# Export live analysis results
Find-ObfuscatedInboxRules -Mailbox "user@kosova.com" -OutputFormat "JSON" | Out-File "live-analysis.json"Supports multiple file formats with automatic detection:
- Graph API/Get-InboxRule Format: Direct rule objects from
Get-InboxRule(JSON) - Runtime/Audit Log Format: Exchange audit logs with
Parametersarray (JSON) - CSV Format: Exported rule data in comma-separated values
# Analyze mailbox for obfuscated rules
Find-ObfuscatedInboxRules -Mailbox 'user@company.com'
# Analyze mailbox for obfuscated rules with detailed output
Find-ObfuscatedInboxRules -Mailbox 'user@company.com' -DebugOutput
# Analyze runtime logs (real-time execution data)
Find-ObfuscatedInboxRules -InputFile 'runtime-logs.json'
# Analyze auditing logs (historical activity records)
Find-ObfuscatedInboxRules -InputFile 'audit-logs.csv'
# Save analysis results to file
Find-ObfuscatedInboxRules -Mailbox 'user@company.com' -OutputFormat 'JSON' | Out-File -FilePath 'analysis-results.json'
# Process multiple rules from CSV file
Add-InboxRuleObfuscation -InputFile "example-inbox-rules.csv" -ObfuscationLevel "Heavy"
# Process rules from JSON file with debug output
Add-InboxRuleObfuscation -InputFile "example-inbox-rules.json" -DebugOutput
# Process rules from plain text file
Add-InboxRuleObfuscation -InputFile "rules.txt" -ObfuscationLevel "Maximum"| Level | Description | Techniques Used |
|---|---|---|
| Light | Minimal obfuscation | Unicode mathematical styles only |
| Medium | Moderate obfuscation | Mathematical styles + RTL OR zero-width chars |
| Heavy | Strong obfuscation | Mathematical styles + RTL AND zero-width chars |
| Maximum | Maximum stealth | All techniques with maximum character density |
The framework can detect and analyze:
- Mathematical Styled Characters: ๐๐๐ (script), ๐ฎ๐ฏ๐ฐ (bold), ๐ข๐ฃ๐ค (italic), ๐๐๐ (monospace)
- Zero-Width Characters: U+200B (ZWSP), U+200C (ZWNJ), U+200D (ZWJ)
- RTL Control Characters: U+202E (RLO), U+202D (LRO), U+2067 (RLI), U+2069 (PDI)
- Enclosed Alphanumerics: โถโโ (circled), ๐ฐ๐ฑ๐ฒ (squared), ๐ ๐ ๐ (negative squared)
- Homoglyph Substitutions: Cyrillic ะฐ (U+0430) vs Latin a (U+0061)
- Character-Level Scoring: Individual Unicode character risk assessment
- Pattern Analysis: Detection of obfuscation patterns and techniques
- Density Metrics: Measurement of obfuscation character density
- Context Awareness: Understanding of legitimate vs suspicious Unicode usage
Name,Condition,ConditionValue,RuleAction,ActionValue,Mailbox,Priority,ObfuscationLevel
"Security Filter","SubjectContainsWords","confidential,secret","MoveToFolder","Archive","user@company.com",1,"Heavy"
"Executive Protection","SubjectOrBodyContainsWords","merger,acquisition","DeleteMessage","","ceo@company.com",2,"Maximum"[
{
"Name": "Security Filter",
"Condition": "SubjectContainsWords",
"ConditionValue": "confidential,secret",
"RuleAction": "MoveToFolder",
"ActionValue": "Archive",
"Mailbox": "user@company.com",
"Priority": 1,
"ObfuscationLevel": "Heavy"
},
{
"Name": "Executive Protection",
"Condition": "SubjectOrBodyContainsWords",
"ConditionValue": "merger,acquisition",
"RuleAction": "DeleteMessage",
"ActionValue": "",
"Mailbox": "ceo@company.com",
"Priority": 2,
"ObfuscationLevel": "Maximum"
}
]# Format: Name|Condition|ConditionValue|RuleAction|ActionValue|Mailbox|Priority|ObfuscationLevel
Security Cleanup|SubjectOrBodyContainsWords|malware,phishing|DeleteMessage||security@company.com|5|Heavy
HR Notifications|From|hr@company.com|MarkAsRead||hr@company.com|10|Light
- Red Team Operations: Testing email security controls and detection capabilities
- Security Research: Understanding Unicode-based evasion techniques and defenses
- Blue Team Defense: Developing and testing detection rules for obfuscated inbox rules
- Compliance Testing: Validating email security policies and controls
- PowerShell: 5.1 or later (PowerShell 7+ recommended)
- Exchange Module: ExchangeOnlineManagement (for live Exchange operations)
- Operating System: Windows, macOS, or Linux
- Exchange Online: Appropriate RBAC permissions for target mailboxes
- On-Premises Exchange: Exchange Management Shell access
- Mailbox Access: Read/Write permissions for target mailboxes
# Install Exchange Online Management module (if needed)
Install-Module -Name ExchangeOnlineManagement -Force
# Import Inboxfuscation
Import-Module .\Inboxfuscation.psd1
# Verify installation
Show-InboxfuscationHelpInboxfuscation follows a modular architecture:
Inboxfuscation/
โโโ Inboxfuscation.psd1 # Module manifest
โโโ Inboxfuscation.psm1 # Main module with pipeline functions
โโโ Modules/
โ โโโ InboxfuscationCore.psm1 # Cmdlets and obfuscation logic
โ โโโ InboxfuscationDetection.psm1 # Unicode detection and analysis
โ โโโ InboxfuscationUI.psm1 # Display and formatting functions
โโโ Helpers/
โ โโโ UnicodeHelpers.psm1 # Unicode character definitions
โโโ Examples/ # Usage examples and test files
Check the Examples/ folder for comprehensive usage examples:
- Basic-Usage.ps1: Getting started with pipeline syntax
- Advanced-Obfuscation.ps1: Complex obfuscation techniques
- Detection-Examples.ps1: Detection and analysis workflows
- CLI-Usage.ps1: Command-line interface examples
Copyright (c) 2025 Permiso Security. All rights reserved.
Educational and authorized testing purposes only.
Powered by Permiso Security