Microsoft Office apps are vulnerable to IDN homograph attacks

Microsoft Office apps – including Outlook – are vulnerable to homograph attacks based on internationalized domain names (IDNs).

In practice, this means that users hovering above a link in a phishing email or a Word or Excel document they have receieved can’t tell that it will direct them to a spoofed malicious domain that’s not what it purports to be.

“Users, who are trained to validate a link in an email client before they click it, will be susceptible to click on it because it has not yet been translated to a real domain name in their browser. The real domain name would only be seen after the page has started to open,” Bitdefender researchers warned.

IDN-based homograph attacks and Microsoft Office

IDNs are domain names that, wholly or partly, use characters from a non-latin script or alphabet, which are encoded by the Unicode standard. For the Domain Name System (DNS) to be able to “read” them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

“Punycode can represent Unicode characters using the limited ASCII character set – for example, my localized domain žugec.sk is actually a domain xn--ugec-kbb.sk,” Martin Zugec, Technical Solutions Director at Bitdefender, explained.

Spoofed IDN homograph domains are created by combining letters from different alphabets, which to the user look so similar to one another that they make differentiation impossible (or extremely difficult and unlikely), but Unicode treats as separate entities/letters.

“Homograph attacks are not a new concept,” Zugec noted. “Over the years, there have been multiple attempts to solve this problem. Today, we rely on a combination of domain registration vetting and awareness built into client applications as the two most common methods to prevent the risk of these attacks.”

Those checks aren’t always perfect, though.

Most browsers, for example, show in the address bar the real name of an internationalized domain name (e.g., https://xn--n1aag8f.com) instead of the display name (e.g., https://žugec.com) if the site is suspicious. But, as Bitdefender researchers discovered, MS Office applications show the display name.

How likely are these attacks?

Since domain registration vetting largely limits which spoofed domains can be registered and most browsers (Firefox is an exception) show the spoofed IDN domain’s real name, IDN homograph attacks are impractical and uncommon.

Still, highly motivated threat actors going after specific companies could find going through the trouble of setting these attacks up worth it.

“We review data in our telemetry every month to gain more insights into the homograph attack threat landscape. We see a clear tendency to target financial operations, with a primary focus on cryptocurrency markets,” Zugec added.

Microsoft has acknowledged the issue when notified of Bitdefender’s findings, but has not made it clear if they intend to fix it.

In the meantime, endpoint security solutions and IP and URL reputation services should block most suspicious domains, and user awareness training should teach users to always check the destination URL.

“As a simple rule, if the URL begins with xn--, the site is suspicious. International domain names are rarely used for non-malicious activities, except for a few countries,” he noted, and warned that since these spoofed IDN domains can be equipped with free security certificates, a lock icon present in the address bar should not be treated by users as proof of the domain’s legitimacy.

Organizations should also implement multifactor authentication to make homograph and any other kind of phishing less likely to lead to account compromise, and should consider registering all domains that could be associated with their company.

“Because IDNs are limited to a single character set, combinations are limited. During our research, we noticed few companies proactively register all potential spoofing domains,” Zugec concluded.

UPDATE (June 6, 2022, 01:10 a.m. ET):

We have removed the mention of the attack working on Teams, because this specific issue is not present on that Microsoft app.