Outlook flaw could show real contact info for spoofed phishing emails

Microsoft said it didn't intend to patch the problem, but a recent update appears to have fixed the problem anyway

Researchers discovered a way to trick Microsoft Outlook’s ‘Address Book’ component to make fake email addresses appear real, potentially making it easier for scammers to fool people with phishing emails.

A penetration tester going by ‘DobbyWanKenobi‘ on Twitter and Mike Manzotti, a senior consultant at Dionach both published blog posts outlining the problem (via Ars Technica). In short, the Address Book flaw relies on an old spoof trick that leverages similar-looking characters in other alphabets to make emails look the same.

As an example, if you get an email from someone@mobìlesyrup.com, it may look like someone from MobileSyrup sent you an email at first glance. However, if you look closer, the ‘ì’ character isn’t actually an ‘i.’ There are far more similar characters, although I’m not able to type them in the MobileSyrup content management system.

Ars Technica offers a more in-depth explanation of how this works, including explanations of Internationalized Domain Names (IDNs) and ‘punycodes.’ The short version is that most browsers make these characters visually distinct to help users tell them apart. However, Microsoft Outlook’s Address Book started showing contact information for real people even for emails sent with spoofed look-alike domains.

Further, Manzotti traced the issue to a problem with Outlook not correctly validating email addresses in Multipurpose Internet Mail Extensions (MIME) headers. Additionally, Manzotti points out that the flaw wouldn’t work on Outlook Web Access (OWA).

The flaw is particularly concerning because it can lend some much-needed credibility to phishing emails that seek to trick users into believing the email is real so they willingly give up personal information.

Microsoft did not respond to Ars Technica’s request for comment, but the company did tell Manzotti that the vulnerability wouldn’t be fixed. At the same time, Ars notes that version 16.0.14228.20216 of Outlook appears to have fixed the problem anyway.

Still, if you’re not yet on the latest version of Outlook, you may want to pay extra attention to incoming emails and avoid clicking links in any email you receive unless you’re absolutely certain it’s from a trustworthy source.

Source: DobbyWanKenobi, Mike Mazotti Via: Ars Technica

Related Articles