Homoglyph Email Attacks: Understanding and Mitigating the Threat

A homoglyph attack (also known as homograph attack) is a technique that involves the use of similar letters/ characters to trick users. Homoglyphs are found in many cyber attacks but are particularly dangerous in emails where malicious entities can be disguised as trusted contacts, domains, or brands.

Homoglyph Attack Demonstration

A homoglyph attack is commonly achieved through the use of different alphabets, for example, using the Cyrillic alphabet instead of Latin.

 

To help illustrate their effectiveness and for a challenge, can you tell the difference between these two domains?

example.com
ехаmрⅼе.ϲоm

The second domain “example.com” contains 8 non-ASCII characters. In the table below are the Unicode values, description, and character. These are very similar to their Latin counterparts.

Sample unicode values with similar characters and descriptions in a homoglyph/ homograph attacks targeting MSPs

Unicode Values

As demonstrated here many homoglyphs are not easily visible to the naked eye or email filters. Therefore, implementing additional detection measures are essential to ensure mailbox security.

 

In-the-Wild Homoglyph Email Attack

Below is a sophisticated Microsoft 365 phishing email observed by our threat detection team where the subject line, display name, and body contain homoglyphs, to help masquerade its phishing content. We will first take a look at the evasion techniques used and then the payload itself.

In the wild email phishing attacks for MSPs in a homoglyph/ homograph attacks

Figure 1: In-the-wild phishing sample

The first homoglyph can be found in the “From” display name. The raw header data is a Unicode and Base 64 encoded string.

From: =?utf-8?b?U3XRgNGA0L7Qs3Qg0JzQtdGV0ZXQsNaB0LUg0YHQtdW4dNC1cg==?=

Using a tool called CyberChef, the text is decoded to the following: “Suррогt Меѕѕаցе сеոtеr”.

Decoded phishing email containing homoglyphs/ homograph for MSPs

Figure 2: Decoded phishing email containing homoglyphs

When attempting to match the string to “Support message center” using a regular expression, it will not trigger despite looking correct.

display name regular expression in a homoglyph/ homograph email attack for MSPs

Figure 3: Display name regular expression

The subject line is also a Unicode / Base 64 encoded string.

=?utf-8?b?TdGWY3LQvnPQvmZ0MzY1IE7QvnTRlmbRlmPQsHTRltC+bihzKTog0YPQvnU=?=

The decoded result is “Mіcrоsоft365 Nоtіfіcаtіоn(s): уоu hаvе {3} hеld mеssаgеs. Case ІD- #CVCQY” and also does not match.

subject line regular expression in a homoglyph/ homograph email attack for MSPs

Figure 4: Subject line regular expression

From a threat protection standpoint, it is unlikely that automated email filtering with keywords will perform as expected. Additionally, security vendors need to take extra steps to ensure an accurate detection. This is especially relevant for Managed Service Providers (MSPs) with numerous end users.

body of email decoded in a homoglyph/ homograph email attack for MSPs

Figure 5: Body of email decoded

Payload Investigation

The URL payload in this email leverages two official Microsoft services before eventually leading to the phishing website. Layered webpages are used to help bypass URL scanning as it is often difficult for security products to follow the full chain. Coupling this technique with the use of trusted domains/services further enhances its effectiveness.

 

The “Restore Messages” button in figure 1. leads to a forms[.]office[.]com page which is hosted by Microsoft. The form can be seen in figure 6. and contains instructions to paste a URL into their browser to continue. The threat actor has likely created multiple forms that vary for each email sent.

Office form with a malicious URL in a homoglyph/ homograph email attack for MSPs

Figure 6: Office form with malicious URL

The new URL brings the user to yet another Microsoft hosted page, in this case it is for dynamics[.]com.

The “Continue Sign In” button shown in figure 7. redirects to our final phishing page hosted on a newly registered domain “mpowrcindysartblog[.]online”.

fake microsoft continue sign in button in a homoglyph/ homograph email attack for MSPs

Figure 7: Fake continue sign-in button

 
WHOIS lookup in an email homoglyph/ homograph email attack for MSPs

Figure 8: WHOIS lookup of mpowrcindysartblog[.]online

This page contains a very convincing recreation of the Microsoft sign-in modal. Any usernames and passwords entered into this form are sent to:

 

hxxps[://]ywnjb[.]mpowrcindysartblog[.]online/ppsecure/post[.]srf?username=test%40test[.]com&client_id=4765445b-32c6-49b0-83e6-1d93765276ca&contextid=D3DFA76087C8B138&opid=E1D1595582D51999&bk=1719922951&uaid=7a6d065897c0474083df3ad8207a1cdb&pid=15216

 
Microsoft log-in an email homoglyph/ homograph attack for MSPs

Figure 9: Microsoft log-in

After submitting the data, it will say sign-in blocked and any link on the page will redirect to Microsoft’s website. This helps reduce suspicion and the user may not even realize they have had their credentials stolen.

fake failed Microsoft sign in page in an email  homoglyph/ homograph attack for MSPs

Figure 10: Fake failed sign-in page

At the time of the attack (July, 1 2024), this domain was marked as clean on VirusTotal. However, it is has since updated to phishing by 8 separate vendors.

Virustotal results in an email homoglyph/ homograph attack targeting MSPs

Figure 11: VirusTotal results

Conclusion

Our threat detection team sees such attacks every day. The above in-the-wild sample heavily utilizes homoglpyhs, contains multiple URLs, and abuses trusted Microsoft products. Threat actors use these techniques because they are effective and successfully bypass security services all the time. Relying on email security providers that only create static AV signatures, detect keywords, or block URLs leaves organizations vulnerable to these types of homoglyph attacks.

 

Built exclusively for MSPs, Mesh’s products (Mesh Unified, Mesh 365 and Mesh Gateway) employ sophisticated techniques to detect advanced phishing attacks like this one, empowering MSPs to safeguard their clients.

 

Learn more about how Mesh can help protect your customers.

IOCs / Observed Subject lines

ACCOUNT-STATEMENT/PAYMENT-INVOICE has been shared with you for your Approval.
Action Required: example FuII Storage Monday-July-2024 18:24 PM
Ꭰеⅼіvеrу Fаіⅼսrе Νοtісеѕ - Саѕе ІD#50QBHCK82
Εⅿаіⅼ Ꭰеⅼіvеrу Сοոfіrⅿаtіоո Rеԛսеѕtѕ - Reference ІD#50GNJJJ82
𝙵𝚛𝚒𝚎𝚗𝚍𝚕𝚢 𝚁𝚎𝚖𝚒𝚗𝚍𝚎𝚛: 𝙴𝚖𝚙𝚕𝚘𝚢𝚎𝚎 𝙷𝚊𝚗𝚍𝚋𝚘𝚘𝚔 𝚂𝚒𝚐𝚗-𝚘𝚏𝚏𝚜 𝙳𝚞𝚎
Νotifiсatioո: yοս have (3) heⅼⅾ ⅿeѕѕaցeѕ. Reference ІD-#50IRFIX82
Mіcrоsоft365 Sеcurіtу: Thеrе аrе (3) mеssаgеs іn quаrаntіnе Reference ІD-#50CKLWB82
Mіcrоsоft365 Sеcurіtу: Ꮯоոfіrⅿаtіοո Ꭱеԛսіrеⅾ ! Case ІᎠ- #LWYDM
Меѕѕаցе Ηоⅼⅾ Νоtіfісаtіоոѕ - Reference ІD#50UYETP82
Payment file was shared to you Via example.com 0neDRlVE_Portal
Ρаsѕword Eχpiry Mondaу, July 15, 2024
Review Incoming D0cuSign: Signature Required- DocsID
Re: 0rder Complete
Іⅿрοrtаոt: Ꮩеrіfу Υοսr Ꮲаrcеⅼ Ꭰеtаіⅼѕ
Іⅿрοrtаոt Еⅿаіⅼ Νοtісе! ( support )
Ѕесսrіtу Αⅼеrt Νοtіfісаtіоոѕ - Саѕе ІD#50FZHOQ82
SharedDoc Via DocuSign for example@example.com
Սոⅾеⅼіvеrаbⅼе: Μаіⅼ ⅾеⅼіvеrу fаіⅼеⅾ#50TFZGY82
Սrցеոt Соոfіrⅿаtіоո Rеԛսеѕtѕ - Саѕе ІD#50BOTXO82
Urgent Auth Ꮯοnfirmation Required ! Ꮯase ІD#50PISVH82
Ԛսаrаոtіոе Rеⅼеаѕе Ꮯοոfіrⅿаtіоոѕ - Reference ІD#50MAMAE82
Ԛսаrаոtіոе Rеⅼеаѕе Ꮯοոfіrⅿаtіоոѕ - Саѕе ІD #ITVGA

Previous
Previous

7 Books to Supercharge Your MSP in 2024

Next
Next

Fake Microsoft Alert Utilized in Credential Harvesting Attack