A homoglyph attack is a technique where an adversary replaces characters in a malicious string with visually identical or near-identical Unicode equivalents to evade text-based content filters. For example, the Latin letter 'a' (U+0061) can be swapped with the Cyrillic 'а' (U+0430), which looks identical to the human eye but has a completely different code point, allowing a blocked command like DROP TABLE to pass through a keyword-matching firewall undetected.
Glossary
Homoglyph Attack

What is a Homoglyph Attack?
A homoglyph attack is a visual spoofing technique that exploits character similarity to bypass text-based security filters.
This attack is particularly dangerous in prompt injection scenarios, where a homoglyph-encoded instruction like ignore previous instructions—using fullwidth Latin characters—can bypass naive input sanitization. Effective defenses require prompt normalization, which converts all text to a canonical form (e.g., NFKC normalization) and strips or flags mixed-script confusables before the input reaches the language model.
Core Characteristics of Homoglyph Attacks
Homoglyph attacks exploit the visual similarity between distinct Unicode characters to bypass text-based security filters, enabling adversaries to smuggle malicious commands past both human reviewers and automated content moderation systems.
Unicode Character Substitution
The foundational mechanism of a homoglyph attack involves replacing standard ASCII characters with visually identical glyphs from non-Latin scripts. For example, the Latin letter 'a' (U+0061) can be swapped with the Cyrillic 'а' (U+0430). To the human eye, the text appears identical, but to a string-matching algorithm, the byte sequence is entirely different. This allows attackers to bypass blocklists that scan for specific keywords like 'delete' or 'drop table' by encoding them as 'dеlеtе' using Cyrillic 'е' characters.
Internationalized Domain Name (IDN) Homograph Attacks
A classic application of this vector targets the domain name system. Attackers register domains using a mix of scripts—such as Latin, Cyrillic, and Greek—to create a URL that is pixel-perfect to a trusted brand. For instance, the domain 'paypaI.com' uses an uppercase 'I' to mimic a lowercase 'l'. More sophisticated attacks use entirely Cyrillic strings that render identically to Latin script. These domains are then used in phishing campaigns where even vigilant users cannot visually distinguish the fake URL from the real one in the browser bar.
Confusables and Skeleton Matching
The Unicode Consortium maintains a formal list of 'confusable' characters to help defend against these attacks. A skeleton is a normalized representation of a character that strips away stylistic differences, reducing visually similar glyphs to a single prototype. For example, the Latin 'o', Greek 'ο', and Cyrillic 'о' all share the same skeleton. Defensive algorithms use skeleton matching to detect homoglyph attacks by converting all text to its skeletal form before performing string comparisons, effectively neutralizing the visual deception.
Mitigation: Canonicalization and Normalization
The primary defense is Unicode normalization (specifically NFKC or NFKD forms) which decomposes and recomposes characters to their canonical equivalents. This process can collapse many homoglyphs into their ASCII base forms. A robust security pipeline should:
- Apply NFKC normalization to all user inputs before analysis.
- Strip or flag mixed-script text (e.g., text containing both Latin and Cyrillic characters).
- Implement skeleton-based comparison against a denylist of dangerous commands.
- Use perplexity filtering to detect the unnatural character distributions common in obfuscated payloads.
Frequently Asked Questions
Explore the mechanics, risks, and defenses associated with homoglyph attacks—a visual spoofing technique used to bypass text-based security filters in AI and autonomous systems.
A homoglyph attack is a visual spoofing technique that replaces characters in a malicious string with visually identical or near-identical Unicode equivalents to bypass text-based content filters. The attack exploits the vast character space of the Unicode standard, where multiple distinct code points (such as the Latin 'a' U+0061 and the Cyrillic 'а' U+0430) render identically on screen but are processed as entirely different tokens by a system. In the context of prompt injection defense, an attacker might substitute the letters in a command like DROP TABLE with homoglyphs, allowing the adversarial instruction to slip past pattern-matching sanitizers while the underlying language model interprets the semantic meaning correctly. This technique is particularly dangerous because it targets the gap between human visual verification and machine-level byte comparison, enabling payloads to remain invisible during manual review.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts for understanding and mitigating visual spoofing attacks that exploit Unicode to bypass text-based security filters.
Unicode Normalization
The defensive preprocessing step that converts text to a canonical form before security analysis. By decomposing or composing characters into a standard representation (e.g., NFKC normalization), the system collapses visually identical homoglyphs into their base ASCII equivalents. This ensures that 'рaypal.com' (with Cyrillic 'р') is normalized to 'paypal.com' before reaching a content filter, neutralizing the obfuscation.
Confusable Detection
A security mechanism that uses the Unicode Consortium's official confusables table to identify characters with visually ambiguous glyphs. Instead of relying on normalization alone, this method proactively flags strings containing characters designated as 'confusable' with Latin script. For example, the Greek letter 'ο' (omicron) is flagged as confusable with Latin 'o', triggering a review even if the string is technically valid Unicode.
Mixed-Script Detection
A heuristic that identifies strings containing characters from multiple Unicode scripts within a single identifier. Legitimate domain names or commands rarely mix Cyrillic, Latin, and Greek scripts. A string like 'micrοsoft.com' triggers an alert because it combines Latin and Greek characters. This defense is particularly effective against whole-script homoglyph attacks where entire words are spoofed using a single foreign script that visually mirrors Latin.
Punycode Transparency
A defensive user interface practice that forces browsers and applications to display the raw Punycode encoding (e.g., 'xn--80ak6aa92e.com') instead of the rendered Unicode for Internationalized Domain Names (IDNs). By showing the underlying ASCII representation, users and automated systems can immediately see that a domain is not the legitimate Latin-script version, preventing visual spoofing attacks at the display layer.
Skeleton Algorithm Matching
An advanced detection technique that reduces each character to its visual skeleton—a simplified, prototypical shape. Characters that share the same skeleton (e.g., Latin 'a', Cyrillic 'а', and Greek 'α') are treated as identical for comparison purposes. This method goes beyond simple confusable lists by dynamically generating visual fingerprints, catching novel homoglyph combinations that haven't been explicitly catalogued in static lookup tables.
Zero-Width Character Stripping
A sanitization step that removes invisible Unicode control characters often paired with homoglyph attacks to further obfuscate malicious payloads. Characters like Zero-Width Space (U+200B) and Zero-Width Joiner (U+200D) can break keyword matching without visible indication. Stripping these before analysis prevents attackers from bypassing filters by inserting invisible breaks inside blacklisted terms like 'malicious'.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us