Microsoft Outlook shows an actual individual’s contact data for IDN phishing emails
If you get an email from someone@arstechnіca.com, is it really from someone at Ars? Definitely not – the domain at this email address is not the same arstechnica.com you know. The ‘і’ character it contains comes from the Cyrillic script and not the Latin alphabet.
This is not a new problem either. Until a few years ago (but no longer), modern browsers made no visible difference when entering domains with mixed character sets in the address bar.
And it turned out that Microsoft Outlook is no exception, but the problem got worse: emails coming from a lookalike domain in Outlook would display the contact card of a real person who is actually registered with the legitimate domain , not the lookalike address.
Outlook shows real contact information for fake IDN domains
This week, infosec professional and pentester DobbyWanKenobi demonstrated how they could get the address book component of Microsoft Office to use IDNs to display the contact details of a real person for a fake sender email address. Internationalized domain names (IDNs) are domains that consist of a mixed Unicode character set, e.g.
The concept of IDN was proposed in 1996 to extend the domain namespace to non-Latin languages and to handle the above-mentioned ambiguity of different characters that look identical to humans (“homoglyphs”). IDNs can also be displayed in pure ASCII format without any problems – the “Punycode” version of the domain, which leaves no room for ambiguity between two domains of the same type.
For example, if you copy and paste the lookalike “arstechnіca.com” into the address bar of the latest Chrome browser, it is instantly converted to its punycode representation to avoid ambiguity: xn--arstechnca-42i.com. This does not happen if arstechnica.com – already in ASCII and without the Cyrillic ‘і’ – is entered in the address bar. Such a visible distinction is necessary to protect the end users who accidentally land on fraudulent websites used as part of phishing campaigns.
But recently, DobbyWanKenobi found that this wasn’t entirely obvious with Microsoft Outlook for Windows. And the address book feature wouldn’t make any difference in displaying the person’s contact information.
“I recently discovered a security vulnerability that affects the address book component of Microsoft Office for Windows that could allow anyone on the Internet to forge contact information for employees within an organization using an external identical Internationalized Domain Name (IDN),” the Penster wrote in a blog post. “That means if a company’s domain is’ somecompany[.]com ”, an attacker who registers an IDN like“ omecompany ”[.]com ‘(xn – omecompany-l2i[.]com) could take advantage of this bug and send compelling phishing emails to somecompany.com employees who have used Microsoft Outlook for Windows. “
Coincidentally, another report on the subject from Mike Manzotti, Senior Consultant at Dionach, appeared the next day. For a contact created by Manzotti on the “onmìcrosoft.com” domain (note the I) Outlook displayed valid contact information for the person whose email address contained the real domain “onmicrosoft.com”.
“In other words, the phishing email is targeting NestorW @ …. onmIHowever, crosoft.com shows valid Active Directory details and a picture of NestorW @ …. onmicrosoft.com as if the email was from a trusted source, “Manzotti says.
Manzotti attributed the cause of the problem to Outlook not correctly checking the e-mail addresses in the Multipurpose Internet Mail Extensions (MIME) headers.
“When you send an HTML e-mail, you can include the SMTP mail-from address and the Mime-from address,” explains Manzotti.
“That’s because the MIME headers are encapsulated in the SMTP protocol. MIME is used to extend simple text messages, for example when sending HTML e-mails, ”he explains with an illustration:
However, according to Manzotti, Microsoft Outlook for Office 365 does not correctly validate the Punycode domain, so an attacker could pose as a valid contact in the target organization.
IDN Phishing: An Old Problem Revived
The problem of IDN-based phishing websites came into the spotlight in 2017 when web application developer Xudong Zheng demonstrated how modern browsers at the time couldn’t distinguish their Apple.com look-alike site (an IDN) from the real apple.com.
Zheng was concerned that IDNs could be used by attackers for various nefarious purposes such as phishing:
From a security point of view, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains like “xn--pple-43d.com”, which corresponds to “apple.com”. It may not seem obvious at first, but “аapple.com” uses the Cyrillic “а” (U + 0430) instead of the ASCII “a” (U + 0061). This is known as a homograph attack.
The problem in Outlook, however, is that when a phishing email is sent from an IDN, the recipient not only cannot distinguish the fake email address from the real one, but also sees the contact card of a legitimate contact and thus falls victim to the attack.
It is unclear whether Microsoft is currently inclined to fix the problem in Outlook:
“We looked through your case, but in this case it was decided that we will not fix this vulnerability in the current version,” said a Microsoft employee DobbyWanKenobi in an email.
“While spoofing can occur, the sender’s identity cannot be trusted without a digital signature. The changes required will likely cause false positives and other problems,” the email seen by Ars continued:
Microsoft did not respond to the request for comments from Ars that was sent in advance.
Researchers have determined that this vulnerability affects both 32-bit and 64-bit versions of the latest Microsoft Outlook for Microsoft 365 versions, even though the issue was apparently no longer reproducible in version 16.0.14228.20216 after Manzotti notified Microsoft.
Oddly enough, Microsoft claimed in its response to Manzotti that the vulnerability will not be fixed. Additionally, Manzotti has determined that this type of phishing attack in Outlook Web Access (OWA) is unsuccessful.
Leveraging security features such as “external senders” email alerts and email signing are some steps organizations can take to ward off spoofing attacks.