Mail from a 'customer' with a strange letter in the domain
IDN homograph attacks use Cyrillic or Greek that looks like Latin (a, e, o). A mail from vеctel.nl with Cyrillic е looks identical. Mail clients sometimes show Punycode (xn--), sometimes don't. This is a classic spear-phishing vector.
Try this first
- 1Inspect the header as plain text. View source or 'show original' shows the real ASCII domain (xn--...).
- 2Set a rule on your mail gateway flagging or blocking inbound with Punycode domains. M365 Defender has 'Anti-phishing impersonation protection', turn it on.
- 3Add a transport rule that quarantines external mail with look-alike-domain to your brand.
- 4Train staff on hover checks for sender and links. An 'oh that letter is red' rule in the mail client helps.
- 5Report the domain to the registrar as phishing and to Spamhaus DBL for takedown.
When to bring us in
If a C-level is being impersonated, a dedicated filter rule flagging specific from-names (BEC protection) is worth it.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.