Punycode Causes Big Problems for Office 365 Online Users

Security for online or on-premise infrastructure can never be taken for granted. We have identified a defense against a new attack that’s targeting Office 365 business users. This is a very real threat to any companies using Office 365 email because it is specifically designed to bypass Microsoft Security and obtain corporate ID and passwords from your users. (Read this article from today’s SC Magazine website: http://www.infosecurity-magazine.com/news/office-365-biz-users-targeted-in/).

How it works

This attack is taking advantage of a particular vulnerability in the way that Office 365 Email handles so-called ‘punycode’ web addresses so that the attacker can send a URL that Office 365 deems benign, but will take a user to a look-alike login page for Office 365.

What is Punycode?

Punycode domain names are used to handle web addresses with non-ASCII characters like the ü in bücher.ch. Punycode uses the “xn--” command to tell a browser to translate an address like this to xn--bcher-kva.ch.

This attack has bypassed Microsoft Office 365 Advanced Threat Protection since it uses what’s called Puny encoding, fooling Office 365 into believing that the URL is safe.

What can you do?

The New Puny-Phishing: How it works

To explain this attack, we will use an example from a real attack captured in early December 2016. The attacker sent a fake FedEx email with a benign looking URL that goes to a malicious site.


We can scan your user accounts.

We are offering a scan of your user email accounts to identify which of your users have received this attack so that you can take remediation measures to immediately change their Office 365 and other corporate passwords! Please contact us now at [email protected].