Using AI-Driven Defense to Counter Unicode Exploits

AI-assisted alert triage and investigation can close the gap – without replacing email security

A class of threats has recently emerged that abuse a subtle weakness in how email systems – including Microsoft Exchange – handle Unicode (the universal standard which ensures text is represented consistently on all systems). These exploits are turning email into a blind spot for resilience and security teams, but luckily AI-assisted triage and investigation as part of your security operations process can close the gap, without replacing email security.

These threats disguise malicious intent by using lookalike Unicode characters and encoding tricks to fool traditional filters. This technique is often called inboxfuscation, and it’s proving to be surprisingly effective resulting in missed detections, delayed response, and a risk to continuity when it matters most.

How Inboxfuscation Operates

With inboxfuscation, attackers are taking advantage of how email systems parse and display text. Tiny changes can break the pattern, matching rules used by traditional security filters, especially regex-based detections. For example, they might swap the English letter “a” (U+0061 LATIN) with a lookalike from another language set, such as an “а” (U+0430 CYRILLIC) or “a” (U+0251 LATIN ALPHA), or by injecting non-standard characters that change interpretation.

To the unsuspecting human eye, it looks like a normal message. Under the hood, it isn’t.

Breaking Traditional Defenses

Most email security relies on rules like “If this string matches that pattern, trigger an alert.” Those rules are great for known threats, but inboxfuscation breaks them in three ways:

Same look, different code points. Security tools do inspect bytes – but regex and signature rules are written for expected text forms (often ASCII). Without “confusable mapping” – a Unicode security approach – a rule for admin won’t match аdmin where the first character is Cyrillic “а” (U+0430) – visually identical, textually different.

Variants multiply. Once a pattern is blocked, attackers tweak characters and try again – outpacing static rules.

Manual review takes too long. Even when flagged, analysts must decode odd characters and context, slowing response during a crisis.

Net effect: a nasty blind spot for security and business continuity teams alike.

Where AI fits in – and how it actually helps

The good news is that a new kind of email security isn’t required. AI can be used as part of your security operations processes to triage and investigate alerts already generated by your existing email security stack and SIEM, deeply inspecting the alert artifacts (email headers, body, MIME parts) and recommending or triggering governed actions.

Normalize before analysis. Convert text to canonical forms (e.g., map confusables, strip zero-widths) so downstream logic operates on the intended string, not the obfuscation.

Understand meaning, not just patterns. Language models assess intent in normalized content (credential harvest, payload staging) even when literal patterns don’t match.

Spot structural weirdness. ML flags unusual Unicode ranges, header ordering, MIME boundaries, and token sequences typical of crafted emails.

Correlate behavior. Combine alert artifacts with sender history, tenant telemetry, and campaign context to raise or lower risk.

Act with guardrails. Within the SOAR or case tool, propose or take scoped actions (tag, quarantine, escalate) based on confidence – always with explanations and audit trails.

Attackers bet that tools won’t detect what the eyes can’t see. AI-assisted triage and investigation – layered onto existing alerts – helps teams cut through the noise, understand intent, and act safely with guardrails. That keeps communications reliable, secure, and resilient when it matters most.

ABOUT THE AUTHOR

Stephen Morrow

Stephen Morrow is the chief solution officer at AirMDR, leading the advancement of autonomous AI SOC agents. Previously, he held leadership roles at Devo, driving AI-driven security, large-scale analytics, and solution engineering. With deep expertise in automation, he is committed to enhancing efficiency in security operations.