Cybercriminals continue to find new ways to trick people, and one of the most convincing is the homoglyph domain attack. This method leverages our ability to recognize letters by utilizing characters from different alphabets that resemble each other closely. For example, a hacker can register a domain like “аррӏе.com,” which resembles “apple.com” but uses Cyrillic letters. You wouldn’t notice the difference unless you looked at the Unicode values. Once the fake site is live, the attacker can clone the real site, get a valid SSL certificate, and fool users into entering their passwords. Even careful users who check for “https://” and the lock icon can fall for it.
Homoglyph domains exist due to Internationalized Domain Names (IDNs), which enable non-Latin characters in web addresses. The system converts these into Punycode, which browsers read as normal domains. Certificate Authorities (CAs) will often issue valid certificates to these names once ownership is confirmed. To users, everything looks legitimate.
Here’s an example showing how many characters can mimic a capital “A.” They all have different Unicode values but look nearly identical in most fonts:
A Α А Ꭺ ᗅ ᴀ ꓮ A 𐊠 𝐀 𝐴 𝑨 𝒜 𝓐 𝔄 𝔸 𝕬 𝖠 𝗔 𝘈 𝘼 𝙰 𝚨 𝛢 𝜜 𝝖 𝞐
Many organizations rely on Microsoft 365 to block phishing, and while it helps, it’s not foolproof. Microsoft Defender focuses on domain authentication checks like SPF, DKIM, and DMARC. It doesn’t analyze visual similarities between characters. That means a hacker can register a domain that appears identical to yours, send a legitimate-looking message, and bypass the block without detection.
How to Reduce the Risk
1. Control Certificate Issuance
Add a CAA record to your DNS so only trusted CAs can issue SSL/TLS certificates for your domain. This keeps unknown or rogue providers from issuing fraudulent certs in your name.
2. Stick with Reputable Certificate Authorities
Use well-known CAs that publish transparency logs and meet strict audit standards: DigiCert, GlobalSign, Entrust, Sectigo, Amazon Trust Services, Google Trust Services, or Let’s Encrypt for internal use only.
3. Watch Certificate Transparency Logs
CT logs record every SSL certificate that has ever been issued. Regularly review them for new entries that resemble your domain. Free tools like Censys or Crt.sh can help, or you can feed these logs into your SIEM for automated alerts.
4. Monitor for Lookalike Domains
Topgallant Partners can actively monitor for homoglyph and lookalike domains as part of our ongoing security monitoring and Security Risk Assessment process. We identify domains that mimic your organization’s web presence using Unicode confusables, newly registered domains, and Certificate Transparency data. This helps detect early signs of impersonation or brand abuse before a threat actor launches a phishing campaign or credential-harvesting site. Our team correlates DNS, WHOIS, and certificate data to identify live infrastructure and issue timely alerts. You can also script similar monitoring using open tools available on the Internet, but a managed approach ensures continuous visibility, validation, and professional analysis.
5. Lock Down Browsers and Email
Configure browsers to show Punycode versions of internationalized domains. Disable mixed-script rendering and block IDNs that don’t match your locale. Enable Safe Links or URL scanning in your email security tools to stop users from visiting homoglyph domains in the first place.
6. Use Secure DNS
Adopt Secure DNS providers such as Cloudflare, Google Public DNS, or Quad9. They block known phishing domains and use DNSSEC and encryption to stop DNS tampering.
7. Train Your Users
Show staff how to inspect links and report any suspicious activity. Most successful homoglyph attacks succeed because the user trusts what appears to be right.
8. Enroll Key Personnel in Google’s Advanced Protection Program
For users handling sensitive accounts, Google’s Advanced Protection Program provides hardware-key authentication, restricts access to risky apps, and blocks known phishing pages. It serves as an adequate safeguard for executives and administrators.
9. Prepare for the Worst
Have a takedown process ready. Keep contact information for registrars, hosting providers, and CAs so you can act fast if someone spins up a fake domain.
Homoglyph attacks are dangerous because they exploit what we see and what we trust. Technology can help, but awareness and layered defenses are what stop them. At Topgallant Partners, we help clients identify, monitor, and mitigate these threats before they escalate into incidents. Knowing the risk is one thing. Being ready for it is what makes the difference.
Need More Information?
Topgallant Partners provides cybersecurity consulting and risk management services that protect organizations from advanced threats, such as homoglyph domain spoofing. You can visit our Cybersecurity Services page to learn more or schedule a consultation.
image sources
- pexels-mikhail-nilov-7534101: Photo by Mikhail Nilov
