Microsoft Outlook shows real contact details in some phishing emails

Homograph attacks fool Microsoft's email software, researchers find

Microsoft Outlook is susceptible to phishing attacks using internationalized domain names (IDNs), according to reports from two separate security researchers. 

Phishing attacks sent from IDNs are also known as homograph attacks. They use Unicode characters from non-Latin character sets, such as Cyrillic or Greek, that look like regular Latin characters. An attacker might register the domain tωitter.com, which uses an international alternative to a regular 'w'. 

Browsers have long recognized and flagged IDNs, displaying them in their original Unicode format (known as Punycode), making them easier to spot. The tωitter.com IDN would show up as xn–titter-i2e.com, for example. 

However, researcher dobby1kenobi revealed that Microsoft Outlook does not highlight them. Moreover, if a spoofed email using an IDN resembles a legitimate email address in the recipient's Outlook contact book - for example, real.person@tωitter.com instead of real.person@twitter.com - the software will display the legitimate person's contact details next to the phishing email. 

For the attack to work, the sender must include the real email address in the 'Sender' field, which is trivial. 

"This means if a company’s domain is “somecompany[.]com”, an attacker that registers an IDN such as “ѕomecompany[.]com” (xn–omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within “somecompany.com” that used Microsoft Outlook for Windows," he reported. 

Related Resource

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Whitepaper title above a red triangle with an exclamation point insideFree download

Because a spoofed email address would cause the real employee's contact details to appear, many employees might be fooled into thinking the email was legitimate. 

Mike Manzotti, senior consultant at security company Dionach, also noted the issue. He reported the same response from Microsoft as dobby1kenobi: 

"We’ve finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case," the company said. "In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways." 

However, Manzotti noticed that the latest version of Microsoft Outlook (16.0.14228.20216) is no longer vulnerable. Microsoft was unable to confirm if it had issued a fix, he said. 

Companies with versions of Outlook still susceptible to this flaw can work around the issue by digitally signing their emails and visually classifying all mails from external sources, dobby1kenobi said. 

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Proofpoint impersonator steal Microsoft, Google logins in phishing campaign
cyber security

Proofpoint impersonator steal Microsoft, Google logins in phishing campaign

8 Nov 2021
Cloudflare enters the email security business
phishing

Cloudflare enters the email security business

28 Sep 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022