If you receive an email from
someone@arstechnіca.com, is it really from someone at Ars? Most definitely not—the domain in that email address is not the same arstechnica.com that you know. The ‘і’ character in there is from the Cyrillic script and not the Latin alphabet.
This isn’t a novel problem, either. Up until a few years ago (but not anymore), modern browsers did not make any visible distinction when domains containing mixed character sets were typed into the address bar.
And it turns out Microsoft Outlook is no exception, but the problem just got worse: emails originating from a lookalike domain in Outlook would show the contact card of a real person, who is actually registered to the legitimate domain, not the lookalike address.
Outlook shows real contact’s info for spoofed IDN domains
This week, infosec professional and pentester DobbyWanKenobi demonstrated how they were able to trick the Address Book component of Microsoft Office to display a real person’s contact info for a spoofed sender email address by using IDNs. Internationalized Domain Names (IDNs) are domains consisting of a mixed Unicode character set, such as letters from both Latin and Cyrillic alphabets that could make the domain appear identical to a regular ASCII domain.
The concept of IDN was proposed in 1996 to expand the domain name space to non-Latin languages and to deal with the aforementioned ambiguity of different characters that look identical (“homoglyphs”) to humans. IDNs can also easily be represented purely in ASCII format—the “punycode” version of the domain, which leaves no room for ambiguity between two lookalike domains.
For example, copy-pasting the lookalike “arstechnіca.com” into the address bar of the latest Chrome browser would immediately turn it into its punycode representation to prevent ambiguity: xn--arstechnca-42i.com. This does not happen when actual arstechnica.com—already in ASCII and without the Cyrillic ‘і’, is typed into the address bar. Such visible distinction is necessary to protect the end users who may inadvertently land on imposter websites, used as part of phishing campaigns.
But recently, DobbyWanKenobi found this wasn’t quite obvious with Microsoft Outlook for Windows. And the Address Book feature would make no distinction when showing the contact details of the person.
“I recently discovered a vulnerability that affects the Address Book component of Microsoft Office for Windows that could allow anyone on the internet to spoof contact details of employees within an organization using an external look-alike Internationalized Domain Name (IDN),” wrote the pentester in a blog post. “This means if a company’s domain is ‘somecompany[.]com’, an attacker that registers an IDN such as ‘ѕomecompany[.]com’…