https://safirsoft.com Microsoft Outlook displays real-time contact information for IDN phishing emails

Homogeneous IDN attacks were initially problematic. The prospects only make them worse. Absolutely not - the domain of this email address is not the same as the arstechnica.com you know. The letter "і" is in Cyrillic, not in the Latin alphabet.

This isn't a new problem either. A few years ago (but not anymore), modern browsers didn't discriminate significantly when typing domains containing a set of characters into the address bar.

And it seems that Microsoft Outlook is no exception, but the problem is getting worse: emails from the same domain in Outlook show a real person's contact card, which is already registered in the legal domain, not the address shown. Outlook displays information for real contacts and information about fake IDNs. Microsoft Office addresses to display real person contact information for fake sender email addresses using International IDNs (IDNs) are domains made up of a set of Unicode characters such as the Latin and Cyrillic alphabets that can be shown in the same ASCII domain.

IDN was introduced in 1996 to expand the domain name space into non-Latin languages ​​and to counteract the aforementioned ambiguity in the various seemingly identical ("homoglyph") characters proposed to humans. IDNs can also be easily presented in ASCII-only format - the "punycode" version of the domain, which leaves no ambiguity between two similar domains.

For example, copying and pasting the "arstechnіca.com" theme into the address bar of the latest Chrome browser will immediately convert it to its original code to avoid ambiguity: xn - arstechnca -42i.com. This does not happen when the real arstechnica.com - in ASCII and without the Cyrillic "і" is written in the address bar. This visual distinction is necessary to protect end users who may be inadvertently protected on fake websites used as part of phishing campaigns.

Ads

But recently, DobbyWanKenobi discovered that this is not entirely clear in Microsoft Outlook for Windows. There is no difference in the address book feature when viewing a person's contact information.

"I recently discovered a vulnerability that affects a component of the Microsoft Office Address Book for Windows and could allow anyone on the Internet to write a pen test tool in a blog post:" Contact Information Employees within an organization use an international domain name (IDN) is similar in appearance. ] com', an attacker who registers an IDN as 'ѕomecompany [.] com' (xn-omecompany-l2i [.] com) can take advantage of these forms and deliver disguised scam emails to somecompany.com employees who send that which uses Microsoft Outlook for windows.”

Coincidentally, the next day, Mike Manzotti, a senior advisor at Dionach, released a statement. Note, another report about this, it shows valid contact information for a person whose email address contains the actual domain "onmicrosoft.com".

“In other words, the @NestorW phishing email is however valid Active Directory details and the @NestorW image are displayed….onmicrosoft.com as if the email came from a valid source.” Manzotti .

 https://safirsoft.com Microsoft Outlook View real-time contact information for IDN Phishing Mail email

Manzuti's reason for this problem is that Outlook did not correctly check email addresses in the MIME headers (Extreme Internet Mail Extensions (MIME)).

” When you send an HTML email, Manzotti states that “SMTP” is selected from “Address” and Mime is selected from “Address.”

“This is because the MIME headers are in MTPE They are used to post regular text messages, for example when sending HTML emails," he explained.

 https://safirsoft.com Microsoft Outlook displays real-time contact information for phishing emails IDN

But according to Manzotti, Microsoft Outlook for Office 365 does not properly check the Punycode domain, allowing attackers to authenticate any valid contacts ray in the required organization. IDN Phishing: Reviving an Old Problem Zheng showed how modern browsers at the time were unable to distinguish their apple.com-like (IDN) site from the real apple.com.

Advertising

Zheng was concerned that IDNs could be exploited by attackers. For various kinds of ugly purposes like phishing: It is possible to register domains like "xn--pple-43d.com", which is the equivalent of "аpple.com". It may not seem obvious at first glance, but "apple.com" uses the Cyrillic font (U+0430) (U+0061) instead of "a". This is known as a blood attack.

But the problem with Outlook is that for phishing emails sent from IDN, the recipient can not only distinguish the fake email address from the real one, but also can see the contact card of the legitimate recipient, so you become a victim of the attack .

It's unclear if Microsoft currently wants to fix the issue in Outlook:

"We've finished" reviewing your file, but in this case, it's decided not to fix this vulnerability in the current version. "Forgery may occur; the identity of the sender cannot be trusted without a digital signature. Changes required could potentially lead to false positives and other problems." "Src="https://safirsoft.com/picsbody/2109/10014-3.jpg" alt="https://safirsoft.com Microsoft Outlook displays real-time contact information for IDN phishing email ">

Microsoft did not respond to Ars request To comment in advance.

Microsoft Outlook displays real-time contact information for IDN phishing emails
microsoft-outlook-displays-real-time-contact-information.html

https://safirsoft.com A $5.9 million ransom attack on an agricultural cooperative could lead to food shortages

A $5.9 million ransom attack on an agricultural cooperative could lead to food shortages

An attack on the US agricultural supplier NEW Cooperative could disrupt the food supply chain. The BlackMatter group behind the attack has demanded a ...
https://safirsoft.com A state spy group violated the Alaska Department of Health

A state spy group violated the Alaska Department of Health

Fallout continues the Advanced Persistent Threat first identified in May 2021. Last week, the Alaska Department of Health and Human Services (DHSS) re...
https://safirsoft.com Epik data breaches affect 15 million users, including non-customers

Epik data breaches affect 15 million users, including non-customers

WHONIS data for NON-Epik clients was also leaked in a 180GB leak.

Epik has now confirmed that "unauthorized intrusion" has already occurred o...

https://safirsoft.com A new program helps Iranians hide messages in full view

A new program helps Iranians hide messages in full view

Nahoft uses encryption to turn your chats into a random set of words.

Amid the government's increasing internet control, surveillance and cen...

https://safirsoft.com Elan Musk says SpaceX Starlink will be out of beta next month

Elan Musk says SpaceX Starlink will be out of beta next month

With 600,000 orders, SpaceX has increased container production (hopefully) to meet demand.

The Starlink SpaceX satellite bandwidth service wi...

https://safirsoft.com $3M Supply Chain Under Attack by Crypto Startup

$3M Supply Chain Under Attack by Crypto Startup

The MISO SushiSwap launch page has been hacked by a malicious GitHub commit. SushiSwap is a decentralized, community-based financial (DeFi) platform t...