If you receive an email from [email protected]іca.com, does it really belong to someone at Ars? Absolutely not – the domain in that email address is not the same arstechnica.com you know that. The ‘і’ character there is of the Cyrillic script and not of the Latin alphabet.
This is also not a new problem. Until a few years ago (but not anymore), modern browsers made no visible distinction when domains with mixed character sets were typed into the address bar.
And it turns out that Microsoft Outlook is no exception, but the problem has only gotten worse: emails coming from a similar domain in Outlook would show the business card of a real person, who is actually registered with the legitimate domain, not the similar address.
Outlook shows real contact information for fake IDN domains
This week infosec professional and pentester DobbyWanKenobi demonstrated how to trick Microsoft Office’s address book component into displaying a real person’s contact information for a spoofed sender’s email address using IDNs. Internationalized Domain Names (IDNs) are domains made up of a mixed Unicode character set, such as letters from both the Latin and Cyrillic alphabets, which can make the domain appear identical to a regular ASCII domain.
The concept of IDN was proposed in 1996 to expand the domain name space to non-Latin languages and to address the aforementioned ambiguity of different characters that look identical (“homoglyn”) to humans. IDNs can also easily be displayed purely in ASCII format†the “punycode” version of the domain, which leaves no room for ambiguity between two similar domains.
For example, if you copy the lookalike “arstechnіca.com” into the address bar of the latest Chrome browser, it immediately changes to its punycode representation to avoid ambiguity: xn-artechnca-42i.com. This does not happen when the actual arstechnica.com†already in ASCII and without the Cyrillic ‘і’, is typed in the address bar. Such visible distinction is necessary to protect the end users who accidentally end up on deceptive websites used as part of phishing campaigns.
But recently, DobbyWanKenobi found that this was not entirely clear with Microsoft Outlook for Windows. And the address book feature wouldn’t discriminate when showing the person’s contact information.
“I recently discovered a vulnerability that affects the address book component of Microsoft Office for Windows, allowing anyone on the Internet to falsify employee contact information within an organization using an external look-alike Internationalized Domain Name (IDN),” the pen tester wrote in a statement. blog post. “This means that if a company’s domain is ‘a company'[.]com’, an attacker registering an IDN such as ‘ѕomecompany[.]com’ (xn--omecompany-l2i[.]com) can take advantage of this bug and send persuasive phishing emails to employees within ‘somecompany.com’ who use Microsoft Outlook for Windows.”
Coincidentally, another report on the subject came out the next day from Mike Manzotti, a senior consultant at Dionach. For a contact created on the Manzotti “onmìcrosoft.com” domain (note the l), Outlook displayed valid contact information for the person whose email address contained the real “onmicrosoft.com” domain.
“In other words, the phishing email is aimed at the user NestorW@….onmlcrosoft.com, however, displays valid Active Directory details and image of NestorW@….onmicrosoft.com as if the email came from a trusted source,” said Manzotti.
Manzotti has identified the problem with Outlook not correctly validating email addresses in Multipurpose Internet Mail Extensions (MIME) headers.
“If you’re sending an HTML email, you can specify the SMTP ‘mail from’ address and the Mime ‘from’ address,” explains Manzotti.
“This is because the MIME headers are encapsulated in the SMTP protocol. MIME is used for extending simple text messages, for example when sending HTML emails,” he explained with an illustration:
But according to Manzotti, Microsoft Outlook for Office 365 does not correctly verify the punycode domain, which could allow an attacker to impersonate a valid contact in the target organization.
IDN Phishing: Revived an Old Problem
The problem of IDN-based phishing websites came to the fore in 2017 when web application developer Xudong Zheng showed how modern browsers are back then. аapple.com look-alike site (an IDN) of the real apple.com.
Zheng was concerned that IDNs could be exploited by attackers for various nefarious purposes, such as phishing:
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from regular ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аapple.com”. It may not be obvious at first glance, but “аapple.com” uses the Cyrillic “а” (U+0430) instead of the ASCII “a” (U+0061). This is known as a homograph attack.
But the problem in Outlook is that for a phishing email sent from an IDN, the recipient not only cannot distinguish between the fake email address and the real one, but also sees the business card of a legitimate contact, thus he falls victim to the attack .
It’s unclear whether Microsoft is inclined to fix the issue in Outlook at this point:
“We have reviewed your case, but in this case it has been decided that we will not fix this vulnerability in the current version,” said a Microsoft employee. DobbyWanKenobi in an email.
“While spoofing can occur, the sender’s identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and problems in other ways,” the email seen by Ars continued:
Microsoft did not respond to Ars’s pre-sent request for comment.
Researchers have seen that this vulnerability affects both 32-bit and 64-bit versions of the latest Microsoft Outlook for Microsoft 365 versions, although it appears that the issue was no longer reproducible in version 16.0.14228.20216 after Manzotti notified Microsoft stated.
Oddly enough, Microsoft’s response to Manzotti continued to insist that the vulnerability will not be fixed. In addition, Manzotti notes that this type of phishing attack will not succeed on Outlook Web Access (OWA).
Taking advantage of security features such as “external senders” email alerts and email signing are some steps organizations can take to deter spoofing attacks.