In order to provide advanced protection against Display Name Spoofing, we recently added support for Base64 encoding to Paubox Email Suite Plus. In this blog post, we'll discuss what it is, how it's being abused, and how we added support for Base64:
Base64 encoding is a method used to represent binary data over mediums limited to printable characters only. In fact, email is one such medium and is a classic use case for Base64. The name Base64 comes from the fact that each (binary) character is represented via 6-bits. In other words, 2 to the power of 6 equals 64. In a nutshell, Base64 encoding is a way of taking binary data and turning it into text so that it's more easily transmitted over mediums like email.
Base64 encoding was originally used to accurately transfer email messages, including attachments, over the internet. Unfortunately, this encoding technique is now being abused by bad actors (i.e. hackers) to deliver malicious Display Name Spoofing attacks.
As we covered in this post, bad actors use Display Name Spoofing to exploit organizations. They do this by relying on authority, sophistication, and the fact that a majority of email is now read on smartphones. Learn more: Executive Protection for Display Name Spoofing Taking it up a notch, bad actors are also using Base64 encoding to evade detection by email filters.
For example, let's say a bad actor wanted to impersonate the CEO of an organization via Base64 encoding. If the CEO's name is Laurie Bream and her email is laurie.bream@raviga.com, the From: address field would normally look like this: From: "Laurie Bream" laurie.bream@raviga.com Using Base64 however, it can be obfuscated to read: From: IkxhdXJpZSBCcmVhbSIgPGxhdXJpZS5icmVhbUByYXZpZ2EuY29tPg== Without Base64 encoding support, this obfuscated Display Name Spoofing attack would pass through undetected.
As a recap, ExecProtect is a feature within Paubox Email Suite Plus that protects against Display Name Spoofing attacks. By adding preprocessing support for Base64 encoded email to ExecProtect, we've taken our patent-pending solution for Display Name Spoofing attacks up a notch.