Avanan researchers claim that Office 365's phishing filters incorrectly translate Punycode characters found in a link's URL as standard ASCII characters.
Avanan researchers claim that Office 365's phishing filters incorrectly translate Punycode characters found in a link's URL as standard ASCII characters.

It may be called Punycode, but it's reportedly a big headache for Microsoft and its Office 365 anti-phishing filters.

According to a research report last week from cloud security company Avanan, hackers are using Punycode, a technique for encoding domain names with Unicode characters, to bypass anti-phishing protections in Office 365 productivity software. Microsoft, for its part, denied the claims in a statement provided to SC Media.

Used with the Domain Name System to support non-ASCII characters within a web URL (including many foreign letters and symbols like the umlaut and cedilla), Punycode confuses Office 365's filters when it is embedded into the URLs of malicious links, Avanan asserts. Aware of this apparent flaw, hackers are conducting phishing attacks that trick recipients into clicking on links spiked with Punycode. These links lead victims to a fake log-in page where they are prompted to enter their Office 365 credentials – essentially giving them away to the cybercriminals behind the operation, the research report continues.

The technique works, Avanan explains, because Office 365's anti-phishing and URL-reputation security layers interpret Punycode characters within a link's URL as regular ASCII characters (e.g. an ordinary “u” instead of an umlaut). Consequently, when users click on a Punycode-spiked link, Office 365's anti-phishing mechanisms test the wrong IP address for malicious activity. Meanwhile, web browsers correctly identify the characters as Punycode and direct users to the true URL and associated IP address.

Knowing this, hackers can set up two websites with URLs that on the surface look exactly the same – except one of them uses Punycode in place of certain ASCII characters. “Microsoft tests the first site for malicious intent and finds a boring website. [But] the user clicks on the link and goes to a different site, which hosts a fake Microsoft login page,” explained Michael Landewe, cofounder and VP of business development at Avanan, in an email interview with SC Media.

Avanan researchers assume the cause of the filtering problem is likely “a glitch in a common URL library” due to “the need for some backward compatibility.” Other application providers also likely use this library, but so far Microsoft 365 is the only one Avanan has observed being targeted by the scam, which was discovered on Dec. 9.

The report cited an example of a recent Punycode phishing attack in which cybercriminals sent out emails that appeared to come from FedEx, alerting recipients that an important package was waiting for them, along with a link to track it. Individuals who clicked on this link were led to a fake Office 365 log-in page that required them to enter their credentials to continue.

Through a company spokesperson, Microsoft disputed the veracity of the report to SC Media. “Contrary to Avanan's claims, the anti-phishing filters found in Office 365 are not fooled by this attack,” the spokesperson said in an emailed statement. “Office 365 can and does mark this type of attack as spam. We encourage users to check the authenticity of the links prior to clicking them, [and to] avoid opening links in emails from senders they don't recognize or visiting unsecure sites.”