Tactic or Technique: Punycode

Punycode lets attackers register domains that look identical to real ones by swapping Latin characters with visually similar ones from other alphabets. A domain like “apple[.]com” can be faked using a Cyrillic “а,” creating a near-perfect visual match that's easy to overlook.

Phishing emails often use these domains to impersonate trusted brands, support teams, or financial institutions. When you click the link, the address in the browser looks familiar, so you're more likely to trust the site and enter your login details.

Since Punycode relies on subtle character substitutions, it's hard to spot at a glance. Many security tools also fail to decode it properly, which gives attackers a reliable way to steal credentials while bypassing basic detection.

Attack Types (2):

Credential Phishing

Malware/Ransomware

Detection Methods (2):

Sender analysis

URL analysis

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Link to a domain with punycode characters	1mo ago Nov 12th, 2025	@ajpc500	Credential Phishing Evasion Lookalike domain Punycode Sender analysis URL analysis	/feeds/core/detection-rules/link-to-a-domain-with-punycode-characters-74b3698c
Punycode sender domain	3y ago Aug 21st, 2023	Sublime Security	Credential Phishing Malware/Ransomware Evasion Lookalike domain Punycode Social engineering Sender analysis	/feeds/core/detection-rules/punycode-sender-domain-bc3d8db5

Attack Types

Tactics and Techniques

Detection Methods

Tactic or Technique: Punycode