Phishing campaign on Office 365 Business users leverages Punycode

Security researchers discovered a new phishing campaign leveraging Punycode and a bug in Office 365 defense systems to deceive victims.

Office 365 business email users continue to be the target of phishing campaigns, a new wave of attacks was leveraging Punycode to avoid detection of Microsoft’s default security and desktop email filters.

Punycode is a method added to the Domain Name System (DNS) in order to support non-ASCII characters within a web URL.

Security researchers from Avanan security warn of a new phishing campaign that aims to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL-reputation security layers deal with Punycode.

Office 365 is even popular as corporate email solution, for this reason, hackers are increasing their interest in it.

“Avanan’s cloud security researchers uncovered a new attack method against Office 365 business email that goes undetected by Microsoft’s Office 365 default security and bypasses desktop email filters.” states a blog post published by Avanan.”The attack includes a phishing scheme to steal Office 365 credentials, and leverages what appears to be a vulnerability in how Office 365 anti-phishing and URL-reputation security layers translate Punycode”

Punycode was already exploited in past attacks in order to trick victims into clicking links that looked legitimate, in this last attack it was designed to bypass the Office 365 anti-phishing filters and email phishing protection systems instead.

The researchers explained that this specific attack is possible due to a gap in the Office 365 phishing filters.

“What makes this attack different is that instead of fooling the user, it was designed to fool the anti-phishing filters found in Office 365 and other email phishing protection systems. Hackers have identified a gap in the Office 365 phishing filters and are starting to leverage it in order to compromise accounts.” continues the analysis.

The phishing campaign detected by Avanan leverages on fake FedEx emails that URLs that appear to be legitimate.

Leveraging on the vulnerability in the phish-detection engine, the URL actually resolves to two different domains, one followed by the malware protection filter and the second one followed by the browser when the user clicks on it.

The legitimate and safe URL is the one followed by protection systems implemented in Office 365, while the malicious one is followed by the browser redirecting the victims to a bogus domain.

“What makes this attack nefarious is that by using Punycode and a flaw in the phish-detection engine, the URL actually goes to TWO different sites, one followed by the malware protection filter and the other followed by the end-user’s browser when he or she clicks on it.” states the analysis.

The experts discovered that Office 365’s default security systems check domain reputation by analyzing it as plain ASCII.

The rapid diffusion of the Office 365 solution in the business environments will continue to attract cyber criminal syndicates.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Punycode , phishing campaign)

[adrotate banner=”5″]

[adrotate banner=”13″]