Flagging Homoglyph Attacks

Red teams and state-sponsored actors are increasingly leveraging homoglyphs to phish unsuspecting users. By using Unicode characters, adversaries create fake domains which are indistinguishable (pɑypal.com versus paypal.com, for example).

AlphaSOC has processed billions of customer network events through Network Behavior Analytics for Splunk and Network Flight Recorder™ to flag threats including C2 beacons, DNS tunneling, and DGA traffic. We’ve recently updated the AlphaSOC Analytics Engine to flag suspicious patterns relating to popular trademarks used within enterprises (e.g. Microsoft, Cisco, Okta, Duo) and identify sophisticated attackers.

  • Unicode homoglyphs (e.g. replacing a with ɑ)
  • Multi-letter homoglyphs (e.g. replacing w with vv)
  • Transpositions, replacements, and omissions (replacing l with 1 and so on)

We combine these signals with others (e.g. the domain age and registrant) to provide actionable alerts and negate false positives. This enables us to flag spear phishing campaigns without relying on signatures or threat intelligence feeds and protect our customers from unknown emerging threats.

IronGeek Homoglyph Attack Generator

To dig into these threats further, check out this published research: