Urgent Microsoft Office Security Alert: All Applications Vulnerable To Homograph Attacks
It’s a new week, and there’s another proof of concept for a phishing technique. Last week, we covered a phishing technique for hijacking WhatsApp accounts, and the week before that we reported on a phishing campaign targeting Intuit QuickBooks users. This new proof of concept leverages an established phishing technique known as an internationalized domain name (IDN) homograph attack.
A homograph attack makes use of what are known as homoglyphs. Homoglyphs are letters or characters that appear identical, or close to it, such as the lowercase “L” and the uppercase “i” characters. Attackers can leverage these sorts of similarities by directing victims to websites with URLs that appear legitimate, but are actually spelled slightly differently. For example, victims might think they are visiting google.com, but they’re actually visiting g00gle.com. In a homograph attack, the attackers control this misspelled domain and use it to distribute malware or steal victims’ login credentials by presenting users with a website that mimics the website located at the legitimate domain.
An IDN homograph attack is a particular kind of this form of attack that leverages letters from other alphabets. Domain names were originally limited to Arabic numerals and the Latin alphabet, which are used by the English language. However, there are many languages that use letters not found in the Latin alphabet, so a new standard eventually came about for registering domain names with non-Latin characters. Domain names registered in this way still use Latin characters underneath, but they can be displayed with non-Latin characters.
A homograph attack makes use of what are known as homoglyphs. Homoglyphs are letters or characters that appear identical, or close to it, such as the lowercase “L” and the uppercase “i” characters. Attackers can leverage these sorts of similarities by directing victims to websites with URLs that appear legitimate, but are actually spelled slightly differently. For example, victims might think they are visiting google.com, but they’re actually visiting g00gle.com. In a homograph attack, the attackers control this misspelled domain and use it to distribute malware or steal victims’ login credentials by presenting users with a website that mimics the website located at the legitimate domain.
An IDN homograph attack is a particular kind of this form of attack that leverages letters from other alphabets. Domain names were originally limited to Arabic numerals and the Latin alphabet, which are used by the English language. However, there are many languages that use letters not found in the Latin alphabet, so a new standard eventually came about for registering domain names with non-Latin characters. Domain names registered in this way still use Latin characters underneath, but they can be displayed with non-Latin characters.
Unfortunately, some Latin and non-Latin characters appear nearly identical. For example, the Latin alphabet has the letter “a,” and the Cyrillic alphabet has the letter “a.” The two letters appear virtually indistinguishable, but are technically two different characters (Unicode 0061 and Unicode 0430, respectively). Bad actors are able to make use of these similarities in IDN homographc attacks by registering domain names that appear legitimate, but are actually spelled with a non-Latin character or two. For example, “аpple.com” uses the Cyrillic “a,” and is actually “xn--pple-43d.com” when displayed with Latin characters. An attacker could send a phishing email with a link to this domain, and the recipient would likely have no idea that the URL differs from that of the legitimate apple.com website.
Some web browsers and email clients try to protect against IDN homograph attacks by displaying internationalized domain names with Latin characters, rather than non-Latin characters, so that users can distinguish between the legitimate apple.com domain and the xn--pple-43d.com domain name that appears as “аpple.com” when rendered with Cyrillic characters. However, researchers at Bitfender have highlighted the fact that the full Microsoft Office suite of applications, including the Outlook 365 email client, render IDNs with non-Latin characters, leaving users vulnerable to IDN homograph attacks. The image above shows xn—pple-43d.com rendered as “аpple.com” in Oulook 365.
Some web browsers and email clients try to protect against IDN homograph attacks by displaying internationalized domain names with Latin characters, rather than non-Latin characters, so that users can distinguish between the legitimate apple.com domain and the xn--pple-43d.com domain name that appears as “аpple.com” when rendered with Cyrillic characters. However, researchers at Bitfender have highlighted the fact that the full Microsoft Office suite of applications, including the Outlook 365 email client, render IDNs with non-Latin characters, leaving users vulnerable to IDN homograph attacks. The image above shows xn—pple-43d.com rendered as “аpple.com” in Oulook 365.
The researchers claim to have notified Microsoft of this behavior back in October 2021, and the Microsoft Security Response Center apparently confirmed the researchers’ findings, but Microsoft has yet to take any action on this front. The researchers present this IDN rendering behavior as an issue to be fixed, but the situation isn’t quite that clear cut, as not everyone agrees on best practices for protecting against IDN homograph attacks. Mozilla, for example, still displays some IDNs with non-Latin characters in its Firefox browser. The browser employs an algorithm that attempts to display misleading IDNs with Latin characters while displaying trustworthy IDNs with non-Latin characters. According to Mozilla, domain name providers should be the ones primarily responsible for protecting users against IDN homograph attacks by not approving misleading names. Mozilla wants to support non-Latin characters so as to not “treat non-Latin scripts as second-class citizens.”
However, Microsoft’s own Edge browser is less forgiving of IDNs, as you can see in the image above, where Edge displays xn--n1aag8f.com in Latin characters, while Firefox displays this domain name with non-Latin characters as “оорѕ.com.” Thus, one might think that Microsoft would consistently render IDNs with Latin characters across its different applications, including the Microsoft Office suite. That said, Edge is built on Chromium, so Edge may simply employ the IDN homograph attack mitigation built into Chromium, rather than rendering IDNs in Latin characters as specified by Microsoft developers.
However, Microsoft’s own Edge browser is less forgiving of IDNs, as you can see in the image above, where Edge displays xn--n1aag8f.com in Latin characters, while Firefox displays this domain name with non-Latin characters as “оорѕ.com.” Thus, one might think that Microsoft would consistently render IDNs with Latin characters across its different applications, including the Microsoft Office suite. That said, Edge is built on Chromium, so Edge may simply employ the IDN homograph attack mitigation built into Chromium, rather than rendering IDNs in Latin characters as specified by Microsoft developers.
