Phishing attacks are one of the oldest ways for malicious individuals to steal information, and an old-school phishing method has found its way into Outlook. Using characters from different alphabets, people can make victims believe spoofed emails are from genuine contacts, as reported by ArsTechnica.
Essentially, what’s happening here is phishers are using Microsoft Office to show a person’s contact information even though the emails come from spoofed Internationalized Domain Names. The spoof comes from using different alphabets, such as Cyrillic, with characters that look like they would in the Latin alphabet.
Information security professional and pentester Dobby1Kenobi did some testing and found that it was pretty easy to trick the system before the update was issued. It’s interesting how much the characters look similar, and if you aren’t paying attention, it’s easy to see how someone could fall for it.
In a blog post, Dobby1Kenobi said the following:
I recently discovered a vulnerability that affects the Address Book component of Microsoft Office for Windows that could allow anyone on the internet to spoof contact details of employees within an organization using an external look-alike Internationalized Domain Name (IDN). This means if a company’s domain is ‘somecompany[.]com’, an attacker that registers an IDN such as ‘ѕomecompany[.]com’ (xn--omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within ‘somecompany.com’ that used Microsoft Outlook for Windows.
When working correctly, using domains outside of the actual organization wouldn’t show the address book entry for the person being spoofed, but with this bug, it would look like the email was coming from the person.
Microsoft investigated the case, and initially, it sounded like the company wasn’t going to fix the problem:
We’ve finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case. In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways.
However, as mentioned, Microsoft did update Outlook to fix the problem. As always, let this serve as a reminder to be aware of who emails are coming from and verify that it’s actually from who you think it is before you click any links. Also, make sure to keep your important apps up-to-date, as you want to make sure you have those security updates.