How to block ASCII compatible encoding (Punycode) in PAN-OS

In this article we will show you how to block ASCII compatible encoding (Punycode) Anti-Spyware signature in PAN-OS.

Background
Threat actors may cloak phishing websites using Punycode/ASCII compatible encoding to trick users into visiting them. The technique involves creating domain names using international encoding. The characters under this encoding are translated by web-browsers on the fly, and presented to the user using visually equivalent ASCII text, which is indistinguishable from the original domain name of the trusted web-site.

Example:
Punycode: xn--e1awd7f.com when translated to regular ASCII it becomes: epic.com.

So, if a user visits xn--e1awd7f.com the browser address bar actually displays 'epic.com'

• PAN-OS 7.1 or higher
• Custom Spyware Signature
• ASCII compatible encoding (Punycode)

1. Go to the Objects tab > Custom Objects > Spyware > Click on (Add) at the bottom
2. In the Configuration tab:

• Assign a Threat (TID in range 15000 - 18000)
• Name: Punycode Encoding
• Severity: (Select one)
• Direction: client2server
• Default Action: (Select one)

3. In the Signatures tab:

• Signature Standard radio button: (Selected)
• Click on (Add).

4. In the Standard window:

• Standard (Name): Punycode encoded URL
• Transaction radio button: (Selected)
• Ordered Condition Match: (Checked)
• Click (Add Or Condition)

5. In the 'New And Condition - Or Condition' window:

• Operator: (Pull-down) Equal To
• Value: 1
• Context: (Pull-down) http-req-ascii-compatible-encoding-prefix-found

6. (Click OK) > (Click OK) > (Click OK) and make sure that the Anti-Spyware profile processing your Security Policy rule is matching the severity of this custom signature to execute the desired blocking action. If the rule is not set to execute a blocking action, configure an Anti-Spyware Exception for the configured TID and set a blocking action for it. (i.e reset-client).
7. Commit the configuration