Security researchers have discovered a bug in the Microsoft Outlook email client that can be used to trick a user into believing spoofed emails are from genuine contacts.

Threat actors are using phishing domains with non-standard Unicode characters, very similar to the Latin alphabet. More than a decade ago, ICANN authorized the registration of Internationalized Domain Names (IDNs), allowing domains to be adapted to different languages and alphabets using Unicode characters. But the problem is that many of these characters are very similar to the letters of the Latin alphabet, which is what scammers use to create fake sites with names that visually resemble real ones.

As it turned out, emails sent from similarly legitimate domains in Outlook will display contact information of a real person registered on the official domain. The problem stems from the Address Book function, which makes no distinction when displaying contact information.

Researcher Mike Manzotti reported the same bug. He found that Outlook for Office 365 does not correctly validate the punycode domain, allowing an attacker to impersonate any valid contact in the target organization.

Microsoft has fixed the vulnerability in Outlook version 16.0.14228.20216. Manzotti said that this attack fails with the Outlook Web Access (OWA).

Source: securitylab.ru