Homoglyph Email Attacks: Understanding and Mitigating the Threat

A homoglyph attack (also known as homograph attack) is a technique that involves the use of similar letters/ characters to trick users. Homoglyphs are found in many cyber attacks but are particularly dangerous in emails where malicious entities can be disguised as trusted contacts, domains, or brands.

Homoglyph Attack Demonstration

A homoglyph attack is commonly achieved through the use of different alphabets, for example, using the Cyrillic alphabet instead of Latin.

To help illustrate their effectiveness and for a challenge, can you tell the difference between these two domains?

example.com
ехаmрⅼе.ϲоm

The second domain “example.com” contains 8 non-ASCII characters. In the table below are the Unicode values, description, and character. These are very similar to their Latin counterparts.

As demonstrated here many homoglyphs are not easily visible to the naked eye or email filters. Therefore, implementing additional detection measures are essential to ensure mailbox security.

In-the-Wild Homoglyph Email Attack

Below is a sophisticated Microsoft 365 phishing email observed by our threat detection team where the subject line, display name, and body contain homoglyphs, to help masquerade its phishing content. We will first take a look at the evasion techniques used and then the payload itself.

The first homoglyph can be found in the “From” display name. The raw header data is a Unicode and Base 64 encoded string.

From: =?utf-8?b?U3XRgNGA0L7Qs3Qg0JzQtdGV0ZXQsNaB0LUg0YHQtdW4dNC1cg==?=

Using a tool called CyberChef, the text is decoded to the following: “Suррогt Меѕѕаցе сеոtеr”.

When attempting to match the string to “Support message center” using a regular expression, it will not trigger despite looking correct.

The subject line is also a Unicode / Base 64 encoded string.

=?utf-8?b?TdGWY3LQvnPQvmZ0MzY1IE7QvnTRlmbRlmPQsHTRltC+bihzKTog0YPQvnU=?=

The decoded result is “Mіcrоsоft365 Nоtіfіcаtіоn(s): уоu hаvе {3} hеld mеssаgеs. Case ІD- #CVCQY” and also does not match.

From a threat protection standpoint, it is unlikely that automated email filtering with keywords will perform as expected. Additionally, security vendors need to take extra steps to ensure an accurate detection. This is especially relevant for Managed Service Providers (MSPs) with numerous end users.

Payload Investigation

The URL payload in this email leverages two official Microsoft services before eventually leading to the phishing website. Layered webpages are used to help bypass URL scanning as it is often difficult for security products to follow the full chain. Coupling this technique with the use of trusted domains/services further enhances its effectiveness.

The “Restore Messages” button in figure 1. leads to a forms[.]office[.]com page which is hosted by Microsoft. The form can be seen in figure 6. and contains instructions to paste a URL into their browser to continue. The threat actor has likely created multiple forms that vary for each email sent.

The new URL brings the user to yet another Microsoft hosted page, in this case it is for dynamics[.]com.

The “Continue Sign In” button shown in figure 7. redirects to our final phishing page hosted on a newly registered domain “mpowrcindysartblog[.]online”.

This page contains a very convincing recreation of the Microsoft sign-in modal. Any usernames and passwords entered into this form are sent to:

hxxps[://]ywnjb[.]mpowrcindysartblog[.]online/ppsecure/post[.]srf?username=test%40test[.]com&client_id=4765445b-32c6-49b0-83e6-1d93765276ca&contextid=D3DFA76087C8B138&opid=E1D1595582D51999&bk=1719922951&uaid=7a6d065897c0474083df3ad8207a1cdb&pid=15216

After submitting the data, it will say sign-in blocked and any link on the page will redirect to Microsoft’s website. This helps reduce suspicion and the user may not even realize they have had their credentials stolen.

At the time of the attack (July, 1 2024), this domain was marked as clean on VirusTotal. However, it is has since updated to phishing by 8 separate vendors.

Conclusion

Our threat detection team sees such attacks every day. The above in-the-wild sample heavily utilizes homoglpyhs, contains multiple URLs, and abuses trusted Microsoft products. Threat actors use these techniques because they are effective and successfully bypass security services all the time. Relying on email security providers that only create static AV signatures, detect keywords, or block URLs leaves organizations vulnerable to these types of homoglyph attacks.

Built exclusively for MSPs, Mesh’s products (Mesh Unified, Mesh 365 and Mesh Gateway) employ sophisticated techniques to detect advanced phishing attacks like this one, empowering MSPs to safeguard their clients.

Learn more about how Mesh can help protect your customers.

IOCs / Observed Subject lines

ACCOUNT-STATEMENT/PAYMENT-INVOICE has been shared with you for your Approval.
Action Required: example FuII Storage Monday-July-2024 18:24 PM
Ꭰеⅼіvеrу Fаіⅼսrе Νοtісеѕ - Саѕе ІD#50QBHCK82
Εⅿаіⅼ Ꭰеⅼіvеrу Сοոfіrⅿаtіоո Rеԛսеѕtѕ - Reference ІD#50GNJJJ82
𝙵𝚛𝚒𝚎𝚗𝚍𝚕𝚢 𝚁𝚎𝚖𝚒𝚗𝚍𝚎𝚛: 𝙴𝚖𝚙𝚕𝚘𝚢𝚎𝚎 𝙷𝚊𝚗𝚍𝚋𝚘𝚘𝚔 𝚂𝚒𝚐𝚗-𝚘𝚏𝚏𝚜 𝙳𝚞𝚎
Νotifiсatioո: yοս have (3) heⅼⅾ ⅿeѕѕaցeѕ. Reference ІD-#50IRFIX82
Mіcrоsоft365 Sеcurіtу: Thеrе аrе (3) mеssаgеs іn quаrаntіnе Reference ІD-#50CKLWB82
Mіcrоsоft365 Sеcurіtу: Ꮯоոfіrⅿаtіοո Ꭱеԛսіrеⅾ ! Case ІᎠ- #LWYDM
Меѕѕаցе Ηоⅼⅾ Νоtіfісаtіоոѕ - Reference ІD#50UYETP82
Payment file was shared to you Via example.com 0neDRlVE_Portal
Ρаsѕword Eχpiry Mondaу, July 15, 2024
Review Incoming D0cuSign: Signature Required- DocsID
Re: 0rder Complete
Іⅿрοrtаոt: Ꮩеrіfу Υοսr Ꮲаrcеⅼ Ꭰеtаіⅼѕ
Іⅿрοrtаոt Еⅿаіⅼ Νοtісе! ( support )
Ѕесսrіtу Αⅼеrt Νοtіfісаtіоոѕ - Саѕе ІD#50FZHOQ82
SharedDoc Via DocuSign for example@example.com
Սոⅾеⅼіvеrаbⅼе: Μаіⅼ ⅾеⅼіvеrу fаіⅼеⅾ#50TFZGY82
Սrցеոt Соոfіrⅿаtіоո Rеԛսеѕtѕ - Саѕе ІD#50BOTXO82
Urgent Auth Ꮯοnfirmation Required ! Ꮯase ІD#50PISVH82
Ԛսаrаոtіոе Rеⅼеаѕе Ꮯοոfіrⅿаtіоոѕ - Reference ІD#50MAMAE82
Ԛսаrаոtіոе Rеⅼеаѕе Ꮯοոfіrⅿаtіоոѕ - Саѕе ІD #ITVGA