In the last releases of the exchange cu’s for Exchange 2013 and Exchange 2016 Microsoft has introduce a new feature that will support NON-ASCII characters in the local and domain part of email addresses. ( email addresses examples: Пользователь@domain.com or user@доме.рф). This implementation is being done to have support for more languages in the office 365 service. Microsoft started the implementation in the office 365 service in august 2016 and expects to compleet all tenants soon. At first this seems to be a enhancement of the Office 365 and on premisses servers.
If we take a few steps back and look at the bigger picture again this raises a lot of questions. As companys have spend lots of money on implementations as SPF, DKIM and DMARC this new feature will create major phishing opportunities for spammers.
As end users rely on there email providers to implement the protocols correctly they put no effort in verifying the sender of a mail. As spammers are already abusing the “display from” to mask the “envelope from” field in an email they now get the option to even malform the “envelop from” to something that looks similar to the domain they are spoofing.
Example of emails a spam or phining attack can use with NON-ASCII :
- user@þroduct.nl ( Notice the letter P in Product )
- Đirk@companya.com ( Notice the letter D in Dirk )
- ľnvoice@creditcard.com ( Notice the letter I of Invoice )
- ideal@bąnk.nl ( Notice the letter a in bank )
- idęal@bank.com ( Notice the letter e in ideal )
As the SPF and DMARC features require registered dns entries to generate a detection, they will approve every domain that has no registration. If a spoofer uses these slightly malformed names, none of the anti spoof protocols will kick in and the mail will be deliverd to the end user. For the end user it is very hard to distingues a malformed “envelop from”. Specially because “display from” and “envelop from” now look almost the same.
firstname.lastname@example.org <ideal@bąnk.nl> (Notice the letter ą in bank in the envelop from header )
The only effective way to counter these spoof attacks is to block all NON-ASCII character domains on your anti spam appalince and whitelist your domains that legitimated use these characters in email addresses. You could do this by creating a dictionary containing all the NON-ASCII characters that look like regular characters and use a regex to filter email addresess containing the characters.