...

Look Closely at that Link! What is the Bidi Swap?

Bidi swap vulnerability confusion
securityawarenesshelp |
December 11, 2025 |
8:10 pm |
0 comments

The “Bidi Swap”: Why You Can’t Trust Your Eyes

In the world of security awareness, we often teach users to “hover before you click” and “check the domain.” But what happens when the browser itself is tricked into displaying a lie? The Bidi Swap (or Bidirectional Swap) is a sophisticated visual deception that uses invisible Unicode control characters to rearrange how a URL appears on the screen.

By mixing left-to-right text (like English) with right-to-left characters (like Arabic or Hebrew), attackers can make a malicious domain look like a trusted site—such as microsoft.com—while the computer is actually connecting to a completely different host. This isn’t a “hack” in the traditional sense; it’s a visual illusion that bypasses the standard visual checks we’ve spent years training our employees to perform.

Guidance to Encourage Among Users

Since traditional URL inspection is no longer foolproof, awareness professionals should pivot toward these more resilient defensive habits:

  • Move Beyond “Hover and Read”: Acknowledge to your team that sophisticated links can now deceive even trained eyes. Teach them that if a link arrives unexpectedly or creates a sense of urgency, the safest path is to manually type the address or use a trusted bookmark, rather than clicking.

  • Prioritize Browser Updates: Browser developers are constantly working to detect these “lookalike” URLs. Ensure your users understand that clicking “Update” on Chrome, Firefox, or Edge isn’t just about new features—it’s about receiving the latest logic to unmask these hidden characters.

  • The “MFA as the Safety Net” Mantra: If a user is successfully tricked into clicking a Bidi Swap link and enters their credentials on a spoofed page, Multi-Factor Authentication (MFA) is often the only thing standing between the attacker and the account. Reinforce MFA as a non-negotiable layer of protection.

  • Promote Domain Highlighting: If your organization uses Firefox, show users how it highlights the “actual” domain in the address bar. For other browsers, encourage users to look for “Navigation Suggestions” or warnings that a URL might be a lookalike.

  • Scrutinize Browser Extensions: Since Bidi characters can also hide malicious logic in browser add-ons, encourage a “minimalist” approach to extensions. If they don’t use it, they should lose it.

By updating your training to reflect these “invisible” threats, you help your employees stay vigilant against scams that are designed to be literally un-seeable.

Bidi swap vulnerability confusion

Read the full breakdown of the Bidi Swap vulnerability here:

Look Closely at that Link! What is the Bidi Swap?
Category
General AwarenessPhishingRansomwareScams/FraudSecurity Alerts
Tags
ArabicattackersBidiBidi swapBidi trickbidirectionalFeaturedHebrewlinksphishingphishing linkphishing linksreversescamsecurity alertshort URLsupply chainsupply chain attackunicode source codeunicode source code attackURL

No responses yet

Leave a Reply

Recent Comments
    Seraphinite AcceleratorOptimized by Seraphinite Accelerator
    Turns on site high speed to be attractive for people and search engines.