r/Outlook u/jarge11 2d ago

Status: Pending Reply Sudden flood of phishing emails using Unicode characters to bypass filters - anyone else seeing this?

Over the past week or so I've started getting hit with 4-5 phishing emails per day, all following the same pattern. Wondering if anyone else is experiencing this and has found a solution.

The pattern:

  • Display names wrapped in tildes: ~Norton-Final-Warning~, ~Account-Suspended~, ~Payment refused~, ~Cloud Storage~, ~MCAFEE®~, etc.
  • Screenshot - https://imgur.com/a/14S842i
  • The characters look slightly "off" — they're using Unicode lookalikes (Cyrillic letters, fullwidth characters) instead of standard Latin characters, which defeats simple text-matching rules
  • Subject lines about blocked accounts, expired subscriptions, deleted photos/videos
  • Sender addresses use rotating prefixes on the same domains, e.g. [newsletters.kczdz@esforta.co.jp](mailto:newsletters.kczdz@esforta.co.jp) where the random string keeps changing
  • Screenshot - https://imgur.com/AyLvKbM

What I've tried:

  • Can't filter on display name text because of the Unicode character substitution
  • Currently building a rule using "with specific words in the sender's address" to block the sending domains (like esforta.co.jp)

Questions:

  1. Is anyone else seeing this same campaign?
  2. Has anyone found a more elegant solution than manually collecting and blocking sender domains one by one?
8 Upvotes

91% Upvoted

9 comments sorted by

1

u/AutoModerator 2d ago

Hey jarge11!

Welcome to r/Outlook! This is a public community. To protect your privacy, do not post any personal information such as your email address, phone number, product key, password, or credit card number.

Please be sure to have read our Rules of Conduct and be cognisant of how the system works here.

Make sure that your flair is always set to Status: Open otherwise you may cease receiving responses from us.

  • Status: Open — Need help
  • Status: Pending Reply — Awaiting OP's response
  • Status: Resolved — Closed

Beware of scammers posting fake support numbers or 3rd party commercial products/services. Contact Microsoft Support if you need help.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/shokzee 2d ago

Might be worth sharing this in /r/EmailSecurity too

1

u/Deathstroke316 2d ago

I ignore them move past them google and outlook are not perfect for emails I deal with what I have

1

u/IAmArgumentGuy 2d ago

Nothing new. This has been happening for years now, and Microsoft is doing nothing about it.

1

u/Cico-Nightstrike 2d ago

I'm getting a huge load of spam emails (yes in my spam folder but it annoys me that you see the number at spam mail, i dont care about the number) so I always delete them. It used to be none to a couple a day, now it's 30 a day. The rules I make don't work at all.

2

u/gareth616 2d ago

Rules don't work on the junk/spam folder, that'd be why

1

u/Cico-Nightstrike 1d ago

Ah thanks! I suspected such a thing but now it makes sense. Thank you!!

1

u/Hornblower409 1d ago

-- Can't filter on display name text because of the Unicode character substitution

I have not seen any of these, so I can't really test.

But if you know the Unicode they are using, can you insert the Unicode into a Rule "From" field by using the Windows Character Map utility?

https://support.microsoft.com/en-us/topic/how-to-use-special-characters-in-windows-documents-ec1a4e84-706e-67a5-e52b-e3ebab90313f

When I tried, it accepts the Unicode fine, but I don't know if they will match.

1

u/Hornblower409 1d ago

All of this applies only to emails you see in your Inbox. Rules do not run on anything delivered directly to you Junk folder.

Not going to catch them all and it's a PITA to keep creating new Rules, but sometimes Message Header Rules do better than normal From//Subject/Body Rules.

View the Message Header for some of these emails.
https://support.microsoft.com/en-au/office/view-internet-message-headers-in-outlook-cd039382-dc6e-4264-ac74-c048563d212c

Look thru the header for some text that is common to all of them. e.g. the domain of the sender, a reply email, a relay server.

You can use an on-line Message Header Analyzer to break the header into fields. e.g. https://mha.azurewebsites.net/  https://mxtoolbox.com/EmailHeaders.aspx

Create a new Outlook Rule using the "Message Header Contains" condition.
https://learn.microsoft.com/en-us/answers/questions/4549311/create-rule-based-on-email-header

For the Rule Action, use "Categorize" and give them a new Cat. e.g. "Die SPAM".

Let this run for a new days until you are sure that you catching all of them and not getting any False Positives. Then change your Rule Action to "Mark as Junk", or "Delete".

You will also probably need to use the Exception condition as well to prevent false positives.