Phishing scam exploits Punycode in Office 365
Thu 15 Dec 2016
A new phishing scam is targeting Office 365 business users, exploiting a flaw in the method used by Office 365 to interpret international domain names in order to gain login credentials.
Once the credentials are given, the hackers can exploit the system, installing malware and compromising confidential customer information.
The scam, which was uncovered by cloud security firm Avanan, is undetectable by Office 365 security provisions. It is unique in that, instead of tricking the user, it was designed to trick the anti-phishing filters in Office 365 itself.
The flaw is in the Office 365 default security, which resolves non-ASCII characters into ASCII to verify the legitimacy of a domain name.
Office 365 uses Punycode to interpret a domain name that includes non-ASCII characters in the domain name system. Punycode effectively translates non-ASCII characters to the limited ASCII set supported by the domain name system. For example, “münich” would be encoded as “mnich-kva” (with –kva representing the umlat.) As a domain name, “xn--” is added as well; so “münich.com” would become “xn--mnich-kva.com”.
The flaw that hackers have exploited uses the Punycode-resolved domain name to direct Office 365 to a benign IP address, bypassing Office 365 anti-phishing security measures. However, when the user clicks on the link it is resolved into a Unicode domain name that leads to a different IP address, taking the user to a malicious server.
For example, when Office 365 encounters the ASCII script xn--sicherheit-schlsseldienst-twc.de , it tests that domain, and is directed to a legitimate IP address in Berlin, Germany, where it detects no malicious activity.
However, when the user clicks on the link, the browser translates the domain name in Unicode; a similar-looking domain name sicherheit-schlüsseldienst.de that points to a different IP address, this time in Belfast, Ireland. This is the site run by hackers where the user is presented with a fake Office 365 login screen and directed to enter their Office 365 credentials.
Once that is accomplished, the hackers are free to roam the system, installing malware, accessing proprietary business information, and stealing personal and financial customer information.
This attack targets businesses that use Office 365 for corporate email, generating a fake Microsoft login page that specifically requests a ‘business email’ account.