Corporate Office 365 users are being targeted by phishers using a clever new trick to bypass email filters and the default security protections of the Microsoft service.
The attack comes in the form of fake emails, and the trick makes the user to see one URL in the link, anti-phishing filters another, and the actual link leading to a third, phishing URL.
Here is an example:
The attackers take advantage of how Office 365 anti-phishing and URL-reputation security layers translate Punycode – a method for encoding domain names with Unicode characters.
“Punycode is a method added to the Domain Name System (DNS) in order to support non-ASCII characters within a web URL. For example, the Swiss bookstore bücher.ch would have an ASCII URL of xn--bcher-kva.ch which renders the non-ASCII umlaut ü,” Avanan CEO Gil Friedrich explains.
This particular Office 365 phishingattack is aimed almost exclusively at Office 365 business users.
The phishing form explicitly asks for credentials for the victims’ business email account, and most of the fake emails that lead to these phishing sites have been found within corporations that use Office 365 for their corporate email.