Phishing attacks are one of the oldest ways for malicious people to steal information, and an old-school phishing method has made its way into Outlook. When using characters from different alphabets, people may lead victims to believe that spoofed emails come from genuine contacts, as reported by ArsTechnica.
Fortunately, Outlook has received an update that fixes the problem, according Mike Manzotti de dionach. Make sure you get the latest version so you don't fall victim to these phishing attacks.
Essentially, what's happening here is that phishers are using Microsoft Office to display a person's contact information even though the emails come from spoofed internationalized domain names. The parody comes from the use of different alphabets, like he cyrillic, with characters that resemble the Latin alphabet.
Information security professional and pentester Dobby1Kenobi I did some testing and found that it was pretty easy to fool the system before the update was released. It's interesting how similar the characters look, and if you don't pay attention, it's easy to see how someone could fall for it.
in a blog post, Dobby1Kenobi said the following:
I recently discovered a vulnerability affecting the address book component of Microsoft Office for Windows that could allow anyone on the Internet to spoof the contact details of workers within an organization using an internationalized domain name (IDN) similar external. This means that if the domain of a company is' some company[.]with ', an attacker who registers an IDN as’ a company[.]with '(xn – omecompany-l2i[.]with) you could exploit this bug and send compelling phishing emails to 'somecompany.com workers’ using Microsoft Outlook for Windows.
When it works properly, using domains outside the actual organization does not show the address book entry of the person being spoofed, but with this error, it would seem that the email comes from the person.
Microsoft investigated the case and initially, it seemed that the company was not going to fix the problem:
We finished reviewing your case, but in this circumstance it was decided that we will not fix this vulnerability in the current version and we will close this case. In this circumstance, even though spoofing could occur, the identity of the sender cannot be trusted without a digital signature. Necessary changes are likely to cause false positives and problems in other ways.
Despite this, as mentioned, Microsoft updated Outlook to fix the problem. As always, let this serve as a reminder for you to know who the emails are from and verify that it is actually who you think it is from before clicking on any link. At the same time, make sure you keep your important apps up to date, since you want to make sure you have those security updates.
setTimeout(function(){
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq = n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s) } (window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘335401813750447’);
fbq(‘track’, ‘PageView’);
},3000);
