PHISHING CORPORATIONS

Lost in Translation?

How I managed to potentially trick software and humans by discovering and exploiting a weird bug in the Address Book component of Microsoft Office for Windows.

I recently discovered a vulnerability that affects the Address Book component of Microsoft Office for Windows that could allow anyone on the internet to spoof contact details of employees within an organization using an external look-alike Internationalized Domain Name (IDN).

  • domains.google
  1. I could use Google’s infrastructure to send my phishing emails.
Gmail setting for Sender information
An email originating from an actual organization email address sent to someone within the organization
An email originating from my IDN phishing email address sent to someone within the organization
Difference in the contact details for both email addresses
Address Book resolving a phishing email address to an actual organization contact
Phishing domain email header
Microsoft’s response
  • Additionally, as Microsoft suggests, email signing could be employed to protect internal organization emails from spoofing attacks. Companies affected should employ the Trust Center feature to digitally sign emails by default.

UPDATE - Sept 7th 2021:

I forgot to mention this before in the article, replying to the phishing email that originates from the IDN does not reveal the punycode. The only significant difference in the case of an email reply is that the user’s profile picture does not show up. It still will not raise concerns since the contact card contains all other organizational information about the impersonated employee.

A message reply to the suspected phishing email also contains a contact card that is intact

I hack things from time to time!