The Homograph Illusion: Phishing Attacks Exploit Lookalike Characters to Bypass Defenses – AI Amplifies the Threat

In a new report, Palo Alto Networks’ Unit 42 has unveiled an insidious phishing technique that continues to slip past both human perception and automated defenses: homograph attacks. These attacks exploit the visual similarity between Latin and non-Latin characters—such as Cyrillic and Greek letters—to craft emails that appear completely legitimate, but harbor subtle manipulations that deceive the eye and evade detection.

To the human eye, there’s no difference between “Homograph” and “Ηоmоgraph.” But under the hood, the latter contains characters from Greek and Cyrillic alphabets, not Latin. For example, the Latin letter “H” is replaced by the Greek homoglyph “Η”, and the “o” by the Cyrillic “о”.

“Automated defenses that analyze the word will not recognize it as the word it appears to be and therefore might consider it to be valid or skip the manipulated word during analysis,” the report states.

These lookalike letters trick both people and machines, creating a new class of phishing emails that bypass content filtering, impersonate trusted entities, and lure users into engaging with malicious content.

Unit 42’s research highlights three phishing campaigns that successfully used homograph techniques in different fields of email messages.

Case Study 1: Google Drive File Sharing Phish

Attackers posed as a multinational financial institution and shared documents via Google Drive with targets. The email display name mimicked the company using homograph characters, even though the actual sender domain was unrelated. Built-in filters failed to flag it.

The document contained a “VERIFY” button, directing users to messageconnection.blob.core[.]windows[.]net — a domain believed to have been used for credential theft or malware delivery.

Case Study 2: Fake E-Signing Platform

In another scenario, attackers pretended to send electronic documents for signature. Words in the email’s subject and display name—like “Сonfidеntiаl,” “Տtаtеmеnt,” and “Ꭲiꮯkеt”—were loaded with deceptive characters.

The emails impersonated DocuSign, and clicking the “SIGN DOCUMENTS” button triggered a chain of redirections, ending at malicious domains such as kig.skyvaulyt[.]ru.

The elaborate ruse included a fake validation screen and tailored email content containing the target’s name, company branding, and realistic CAPTCHA challenges, making detection difficult even for savvy users.

Case Study 3: Spotify Billing Impersonation

The third case mimicked Spotify with an email urging the user to update their payment method. The display name “Sρօtifу” included multiple non-Latin characters, fooling users into believing the sender was legitimate.

The attackers used a trusted URL shortening service to obscure the link’s true intent, which likely led to a phishing site designed for credential theft.

The Unit 42 report warns that AI is amplifying the threat by enabling attackers to rapidly generate authentic-looking emails. When combined with homograph tactics, these emails become virtually indistinguishable from legitimate correspondence.

“The increased adoption of new AI models enables attackers to create more convincing and personalized emails,” the report concludes.

Related Posts:

• WooCommerce Phishing Attack: Fake Vulnerability Exploits Store Owners
• Critical AWS Amplify Studio Flaw Allows Code Execution – Update Now
• New PayPal Scam Tricks Users with Convincing Ads and Pages
• CVE-2025-4318 (CVSS 9.5): AWS Amplify RCE Flaw Exposed with PoC – CI/CD Pipelines at Risk
• Attackers Turn Digital Analytics Tools into Weapons, Experts Warn