Mailsploit is an Email exploit where attackers employ email spoofing without being detected in major email clients.

Email spoofing is the forgery or imitation of an email header so that the email appears to have originated from someone or somewhere other than the actual source.  Email spoofing is a method used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source.  The goal of email spoofing is to get recipients to open, and possibly even respond and provide information to, a solicitation.

A successful variety of a spoofed email can cause serious problems and pose security risks.  A spoofed email may disguise to be from a well-known shopping website, asking the recipient to provide sensitive data such as a password or credit card number.  Or the spoofed email may ask the recipient to click on a link that installs malware on the recipient’s computing device, similar to how Mailsploit can be utilized.

Security researcher and programmer Sabri Haddouche revealed Mailsploit, a series of methods for spoofing email the have the capacity to exploit more than a dozen common email clients, including Apple Mail, Thunderbird, Microsoft Mail, Outlook 2016, Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail.  By integrating the bugs in those email clients with twists in how operating systems handle certain kinds of text, Mailsploit may craft email headers that, to the recipient, give every indication of having been sent from whatever address the attacker wishes.

Due to progression in cyber-security, email providers have devised a way to prevent email spoofing by exploiting DMARC.  DMARC or Domain-based Message Authentication, Reporting and Conformance blocks spoofed emails by carefully filtering out those whose headers pretend to come from a different source than the server that sent them.  Mailsploit made a workaround by modifying email headers to take advantage of flawed implementation of a 25-year-old system for coding ASCII characters in email headers known as RFC-1342.

The trick is encoding non-ASCII characters inside the email headers which could stealthily hide the domain part of the original email.

The following example shows how email headers are crafted:

The payload:

From: =?utf-8?b?${base64_encode(‘[email protected]’)}?==?utf-8?Q?=00?==?utf-8?b?${base64_encode(‘([email protected])’)}[email protected]

Which becomes:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS[email protected]

Which, once decoded by, becomes:

From: [email protected]\0([email protected])

Flaw in client turns it into:

From:  [email protected]

Furthermore, these are some of the clients affected by email spoofing:


Besides spoofing, email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities.

In using Mailspolit, the potential for phishing schemes is enormous.  Taking into account that major email clients and providers are affected, they should create the necessary patches as soon as possible before this effective phishing scheme is utilized by attackers.  As for emails, recipients are advised to apply utmost discretion in opening and responding to emails by verifying from the source the legitimacy of the email sent, especially when there are attachments sent and when particular sensitive information are being requested upon.



Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *