Security Experts:

Connect with us

Hi, what are you looking for?



Office 365 Business Users Targeted in Punycode-based Phishing

A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.

A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.

The attack is meant to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL-reputation security layers deal with Punycode. With labels in the Internationalized Domain Names in Applications (IDNA) framework using Unicode characters, Punycode is used to encode them in the limited character subset of ASCII, which is supported by the Domain Name System (DNS).

Previous phishing attacks leveraging Punycode attempted to trick users into clicking links that looked legitimate, but which would resolve to completely different addresses because of the use of similarly-shaped letters from different alphabets. Thus, a site that looks like http://www.pа might actually take users to, the researchers explain.

The new type of attack, however, wasn’t designed to trick the user, but rather to bypass the anti-phishing filters that Office 365 and other email phishing protection systems employ. A gap in the Office 365 phishing filters makes this type of attack possible.

The attack starts with fake FedEx emails that include benign-looking URLs meant to take users to malicious websites. However, by using Punycode and leveraging said flaw in the phish-detection engine, the URL actually resolves to two different domains, one safe, which is detected by Office 365, and the other malicious, which is followed by the browser.

The underlining issue is that Office 365’s default security treats the domain as plain ASCII when verifying whether it is legitimate or not, Avanan’s Gil Friedrich explains. The included domain,, resolves to a Berlin, Germany IP address when tested as plain ASCII, and is allowed in the users’ inboxes, because it doesn’t reveal malicious intent.

Because all modern browses support Unicode characters, the address is translated to its Unicode format when launched in the browser, which gets users to sicherheit-schlü, which points to a Belfast, Northern Ireland IP address. This address is malicious and presents users with a fake Office 365 login page in an attempt to steal their credentials.

According to Avanan, the attackers appear particularly interested in Office 365 credentials, as all of the observed malicious messages were sent to corporations that use Office 365 for their business email. Moreover, the landing page of the malicious URLs is a fake Microsoft login designed to specifically ask for a “Business Email” account.

“With the growth in Office 365 for corporate email, hackers are shifting their focus. The characteristics of this particular attack discloses the hacker’s intention to deceive Office 365 users into providing their login credentials,” Avanan explains.

Related: Office 365 Flaw Made Fake Microsoft Emails Look Legitimate

Related: Phishing Attacks Hit the C-Suite With High Value Scams

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...