Outlook logo monochrome outline on dark grey and blue background

A vulnerability in Microsoft Outlook is tricking users into believing that phishing emails directed to them are genuine. The Address Book within Outlook shows a person's contact information even though they are not genuine and come from Internationalized Domain Names (IDNs). IDNs include letters from other scripts like Cyrillic that are similar in appearance to letters from the Latin alphabet.

These alphabets trick users into believing that the emails have come from genuine contacts. The vulnerability was discovered by "Dobby1Kenobi" (via Windows Central).

I registered an email address that looked like my own organization email address and sent myself a test email to distinguish what factors in the email stood out as suspicious.

This means if a company’s domain is 'somecompany[.]com', an attacker that registers an IDN such as 'ѕomecompany[.]com' (xn--omecompany-l2i[.]com) could take advantage of this bug and send convincing phishing emails to employees within 'somecompany.com' that used Microsoft Outlook for Windows.

What differed between my organization domain and the phishing domain was a Cyrillic “s” at the start of the domain name.

Mike Manzotti from Dionach.com also reported the bug. Even though Microsoft acknowledged the vulnerability, it said that it won't release a fix for it.

Screenshot of a bug in Microsoft Outlook

Microsoft told Manzotti:

We've finished going over your case, but in this instance it was decided that we will not be fixing this vulnerability in the current version and are closing this case.  In this case, while spoofing could occur, the senders identity cannot be trusted without a digital signature. The changes needed are likely to cause false positives and issues in other ways.

However, it seems like Microsoft has in fact gone ahead and fixed it. According to Manzotti, Outlook version 16.0.14228.20216 does not have the vulnerability anymore. We recommend users update Outlook to the latest version, and beware of phishing scams like these.