Sabri Haddouche (security researcher from Germany) has found a set of vulnerabilities that he collectively points to as Mailsploit, and which is an array of techniques for spoofing email in more than a dozen popular email clients such as Apple Mail for iOS and macOS, Mozilla’s Thunderbird, Microsoft Mail, and Outlook 2016. Mailsploit allows an attacker to spoof email identities, and in some situations, run malicious code on the user’s machine.
“Email spoofing is the creation of email messages with a forged sender address.”
Mailsploit simply passes through email servers and avoids established spoofing protection tools (anti-spoofing mechanisms) like DMARC and spam filters. Emails sent with Mailsploit seem to come from completely legitimate senders. In most situations, unless email headers are examined by technicians, emails sent using Mailsploit are undetectable.
According to the researcher:
The trick resides in using RFC-1342 (from 1992!), a recommendation that provides a way to encode non-ASCII chars inside email headers in a such way that it won’t confuse the MTAs processing the email.
Sadly, most email clients don’t correctly sanitize the string after decoding which drives to this email spoofing attack.
“Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email,”
You can check the list of all email and web clients that are vulnerable to MailSploit attack.