In early 2017, the world was introduced to a form of domain spoofing which is almost impossible to spot with human eyes. Major internet browser vendors were quick to build capabilities which could detect these occurrences. However, when it came to email, most still lag behind today.
In fact, if you use Microsoft Office 365s default spam and email protection controls, you are completely open to such an attack. As you likely are if you haven't reviewed your email security settings on other protective suits in the past twenty-four months.
I am of course talking about the IDN (Internationalised Domain Name) homograph attack. Sometimes known as a punycode spoof attack.
What is an IDN Homograph Attack?
Based on the name, you might be able to summarise at least the foundations of such an attack.
Unicode, the international system for converting hexadecimal character codes into the letters, numbers and symbols we have on our keyboards, contain allocations for non-Latin letter systems such as Cyrillic, Turkish and Arabic.
As an example, if you have ever looked at Cyrillic text, you will know that there are some common characters with our own Latin letter system. While these letters are visually the same, they occupy a unicode hexadecimal values for all the letter systems they exist in. Such letters are known as homoglyphs.
The above table shows how the homoglyph letters "a", "p", "i" and "e" are all visually identical but have different unicode hexadecimal values for each letter system.
Note that the table above has been formatted to font-type Segoe to emulate how these letters would look across Microsoft systems.
This all culminates in a significant problem, whereby a legitimate domain such as "advancedcyber.co.uk", which is registered and owned by Advanced Cyber Solutions; is not the same as "advancedcyber.co.uk", when the "a" and "e" characters are from the Cyrillic letter system.
To a user receiving emails in their Microsoft Outlook mailboxes. There is no visual difference and therefore both will be given the same level of treatment and trust. Leaving you open to a significant phishing attack.
How to Defend Against IDN Homograph Attacks?
As this flaw lays at the domain level, it has been used as an attack vector in both email domains for phishing and fake websites for XSS, malware delivery and fake payment forms.
Browser vendors were very quick to create warning messages into their software (or will often show the hexadecimal value), to warn users when they access websites with domains of mixed letter systems - in fact it is very unlikely that you are using a vulnerable browser today.
However, email protection solutions have been in some cases slower to react. And, where they have created some form of defence, it is often left in a disabled state because it is misunderstood; or you simply didn't know it was there!
What is most worrying is that Microsoft Office 365s email protection appears to contain no protection against this attack, despite Microsoft domains being a favourite for such attacks.
CORVID Email Protection Can Detect IDN Homograph Attacks
Cloud-based CORVID email protection can detect and warn users about IDN homograph attacks. Reporting them to the user as being suspected as not being from the reported domain.
Using a traffic-light system of warning at the header of each inbound email; and by running over twenty-three checks on all emails. Your users stand a much better chance of being able to determine whether or not an email is trustworthy.
After all, when your users are presented with what looks like an legitimate email source, how likely are they at being an effective defence for your network?
If you would like to learn more about email security or CORVID email protection, you can book a call with one of our solution specialists by clicking here.