A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.
The attack is meant to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL-reputation security layers deal with Punycode. With labels in the Internationalized Domain Names in Applications (IDNA) framework using Unicode characters, Punycode is used to encode them in the limited character subset of ASCII, which is supported by the Domain Name System (DNS).
Previous phishing attacks leveraging Punycode attempted to trick users into clicking links that looked legitimate, but which would resolve to completely different addresses because of the use of similarly-shaped letters from different alphabets. Thus, a site that looks like http://www.pаypal.com/ might actually take users to http://www.xn--pypal-4ve.com/, the researchers explain.
The new type of attack, however, wasn’t designed to trick the user, but rather to bypass the anti-phishing filters that Office 365 and other email phishing protection systems employ. A gap in the Office 365 phishing filters makes this type of attack possible.
The attack starts with fake FedEx emails that include benign-looking URLs meant to take users to malicious websites. However, by using Punycode and leveraging said flaw in the phish-detection engine, the URL actually resolves to two different domains, one safe, which is detected by Office 365, and the other malicious, which is followed by the browser.
The underlining issue is that Office 365’s default security treats the domain as plain ASCII when verifying whether it is legitimate or not, Avanan’s Gil Friedrich explains. The included domain, xn--sicherheit-schlsseldienst-twc.de, resolves to a Berlin, Germany IP address when tested as plain ASCII, and is allowed in the users’ inboxes, because it doesn’t reveal malicious intent.
Because all modern browses support Unicode characters, the address is translated to its Unicode format when launched in the browser, which gets users to sicherheit-schlüsseldienst.de, which points to a Belfast, Northern Ireland IP address. This address is malicious and presents users with a fake Office 365 login page in an attempt to steal their credentials.
According to Avanan, the attackers appear particularly interested in Office 365 credentials, as all of the observed malicious messages were sent to corporations that use Office 365 for their business email. Moreover, the landing page of the malicious URLs is a fake Microsoft login designed to specifically ask for a “Business Email” account.
“With the growth in Office 365 for corporate email, hackers are shifting their focus. The characteristics of this particular attack discloses the hacker’s intention to deceive Office 365 users into providing their login credentials,” Avanan explains.