The Punycode Problem: Protecting Your Inbox from Deceptive Domains

The internet was built to connect the world, and internationalized domain names (IDNs) have played a key role in achieving this goal. By enabling non-ASCII characters in web addresses, IDNs enhance accessibility, usability, and inclusivity while also offering practical benefits for businesses, governments, and individuals.

However, as is often the case with technological advances, cybercriminals have found ways to exploit this innovation.

Using Punycode—a method of encoding IDNs—threat actors can create deceptive domains that impersonate trusted brands and contacts, evade traditional security measures, and deceive even the most vigilant employees.

In this blog, we explore how cybercriminals are leveraging Punycode to launch sophisticated email attacks.

Punycode is a way to encode IDNs with non-ASCII characters into a format compatible with the domain name system (DNS), which only supports ASCII characters. By converting characters like é, а, or 日 into ASCII-compatible formats, Punycode enables the use of domain names with accented letters or characters from non-Latin scripts, making the internet more inclusive while maintaining interoperability with existing infrastructure.

Punycode-encoded domain names are distinguished by a special prefix, "xn--". For example, the IDN münchen.com, which includes the umlaut "ü," is represented in Punycode as xn--mnchen-3ya.com. This process ensures compatibility with DNS systems while allowing users to see the original, non-encoded domain name in browsers and email clients.

While this innovation has expanded global accessibility, it has also opened doors for cybercriminals to exploit its functionality. Here are a few ways threat actors exploit Punycode.

Conducting Homograph Attacks

Homograph attacks take advantage of the visual similarities between Unicode and ASCII characters to create malicious domains that appear identical to legitimate ones. For example, attackers might substitute the Cyrillic "о" for the ASCII "o," resulting in deceptive domains like “micrоsоft.com” that appear authentic but redirect to harmful sites. Modern browsers often render Punycode domains in their Unicode form, further masking the attack and making the fraudulent domain appear authentic in the address bar.

Homograph attacks are similar to lookalike domains in that they both rely on deception. However, homograph attacks focus on visually identical impersonations using Unicode, whereas broader lookalike domain tactics involve substituting entirely different characters or adding subtle variations, like extra letters. With thousands of Unicode characters available, threat actors can generate an almost limitless number of deceptive domains that appear indistinguishable from the real ones.

Obfuscating Malware Payloads

Attackers can also exploit Punycode to obscure malware delivery mechanisms by encoding malicious URLs in a format that circumvents automated security tools scanning for known threats. For example, a URL like “xn--downld-f43a.com” may look benign to traditional filtering systems that rely on pattern recognition to identify malicious content.

By embedding these obfuscated URLs in phishing emails, threat actors increase the likelihood of users clicking on them, bypassing both user awareness and automated defenses. This tactic is particularly effective in facilitating malware campaigns such as ransomware and drive-by downloads. By evading detection and delaying countermeasures, Punycode-encoded URLs enable malware to propagate further, increasing the potential damage before security teams can respond.

Evading SOC Analysts

Even skilled SOC analysts can struggle to identify Punycode-based threats. While analysts may detect clear cases of domain spoofing or phishing URLs, Punycode’s encoding obscures the true nature of malicious domains. Punycode-encoded URLs often appear as random or encoded data, which may not trigger immediate suspicion during analysis. For instance, a Punycode domain in the "From" field might look like Base64 encoding, leading analysts to deprioritize it. Attackers further complicate detection by embedding Punycode domains in shortened URLs or layering them within HTML-rich phishing emails.

Without specialized tools to highlight Punycode anomalies, such threats can blend into the background noise of alerts, allowing cybercriminals more time to achieve their objectives, such as deploying malware or establishing persistence within a compromised system.

Bypassing Legacy Security Solutions

Legacy security solutions, such as secure email gateways (SEGs), rely on traditional pattern recognition and keyword filtering to detect malicious activity. While Punycode is ASCII-compatible, SEGs often fail to decode and analyze the Unicode representation of these domains, allowing visually deceptive or homograph domains to evade detection. Additionally, SEGs typically don’t assess domains for phonetic or visual similarity, enabling Punycode-crafted malicious domains to bypass static filtering methods and regex-based rules that lack contextual awareness.

For example, a SEG may flag “badsite.com” as malicious but fail to recognize “xn--badsite-123.com” as a threat, even if the encoded domain redirects to the same harmful site.

Punycode can also help attackers bypass blocklist mechanisms. Traditional blocklists, which rely on static entries of known malicious domains, struggle to detect Punycode-generated variations because these variations appear as “new” domains that haven’t yet been flagged as malicious. By leveraging Punycode to create slight alterations, threat actors can evade static defenses, allowing them to continue targeting victims undetected.

Threat Actor Impersonates Coinbase in Vishing Attack

In the first example, the threat actor impersonated Coinbase, a popular cryptocurrency exchange, and emailed the target a fraudulent notification regarding a support ticket.

At first glance, everything seems genuine: the sender name appears to be no-reply@coinbase[.]com, the formatting of the email matches that of real communications from Coinbase, and the message even includes the target’s full name.

However, upon inspection of the email header, it becomes clear that the sender address contains Punycode and the “i” in “coinbase[.]com” is actually the Unicode character “ı”.

Attacker Poses as Executive in Invoice Fraud Attempt

In the second example, the perpetrator opted to impersonate an executive at an industrial equipment company and email a vendor requesting information on outstanding invoices.

Again, the message initially appears legitimate. The vendor wouldn’t be surprised to receive this type of request toward the end of the year, and there are no immediate red flags within the email. It even contains the impersonated executive’s real signature.

But once again, a review of the unabridged email header uncovers the use of Punycode and the substitution of “i” with “ì”.

While Punycode has revolutionized the accessibility of the internet, it has also become a potent tool for cybercriminals to exploit.

The abuse of Punycode underscores the relentless sophistication of email attacks in today’s threat landscape. Cybercriminals leverage this encoding method to create deceptive domains, bypass legacy defenses, and obscure malicious intent. Traditional solutions, such as secure email gateways, often fall short in identifying these nuanced threats, allowing attackers to outmaneuver even seasoned analysts.

To combat these advanced techniques, organizations must adopt AI-native email security solutions capable of analyzing behavior and understanding context. API-based solutions that leverage behavioral AI can identify and block suspicious activity, even when traditional defenses fail. Investing in AI-driven security is no longer optional—it is imperative to stay ahead of the evolving tactics of cyber adversaries.

For even more insights into the emerging threat landscape and predictions for where it’s headed, download our white paper, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.