What Changed
A new hunting query “Punycode lookalikes” was added to both the standalone Hunting Queries collection and Microsoft Defender XDR solution for detecting phishing attempts using internationalized domain names (IDN).
Detection Logic
The query targets punycode domains (xn– prefix) containing visually similar Unicode characters that can impersonate legitimate ASCII domains. It processes both email (EmailEvents, EmailUrlInfo) and Microsoft Teams messages (MessageEvents, MessageUrlInfo) to identify:
- Cyrillic characters (е, а, о, р, с, х, etc.) mimicking Latin letters
- Greek characters (α, ε, ο, ρ, χ, etc.) visually similar to ASCII
- Fullwidth ASCII characters used in domain spoofing
The detection normalizes Unicode lookalikes to ASCII equivalents and validates the resulting domain appears legitimate, indicating intentional spoofing rather than accidental character usage.
MITRE Mapping
Technique: T1566 (Phishing) - Initial Access via deceptive domains in email and collaboration platforms
Detection Surface Unlocked
Organizations gain visibility into sophisticated domain impersonation attacks that bypass traditional string-based domain reputation systems. The query reveals phishing campaigns leveraging:
- Brand impersonation through visually identical Unicode domains
- Cross-platform attacks spanning email and Teams messaging
- Advanced evasion techniques exploiting internationalized domain specifications
This hunting capability fills a gap in detecting IDN homograph attacks that rely on human visual perception rather than technical domain validation.
Affected Files
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml