Inferensys

Glossary

Homoglyph Attack

A visual spoofing technique that replaces characters in a malicious command with visually identical Unicode equivalents to bypass text-based content filters.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
VISUAL SPOOFING

What is a Homoglyph Attack?

A homoglyph attack is a visual spoofing technique that exploits character similarity to bypass text-based security filters.

A homoglyph attack is a technique where an adversary replaces characters in a malicious string with visually identical or near-identical Unicode equivalents to evade text-based content filters. For example, the Latin letter 'a' (U+0061) can be swapped with the Cyrillic 'а' (U+0430), which looks identical to the human eye but has a completely different code point, allowing a blocked command like DROP TABLE to pass through a keyword-matching firewall undetected.

This attack is particularly dangerous in prompt injection scenarios, where a homoglyph-encoded instruction like ignore previous instructions—using fullwidth Latin characters—can bypass naive input sanitization. Effective defenses require prompt normalization, which converts all text to a canonical form (e.g., NFKC normalization) and strips or flags mixed-script confusables before the input reaches the language model.

Visual Deception Vectors

Core Characteristics of Homoglyph Attacks

Homoglyph attacks exploit the visual similarity between distinct Unicode characters to bypass text-based security filters, enabling adversaries to smuggle malicious commands past both human reviewers and automated content moderation systems.

01

Unicode Character Substitution

The foundational mechanism of a homoglyph attack involves replacing standard ASCII characters with visually identical glyphs from non-Latin scripts. For example, the Latin letter 'a' (U+0061) can be swapped with the Cyrillic 'а' (U+0430). To the human eye, the text appears identical, but to a string-matching algorithm, the byte sequence is entirely different. This allows attackers to bypass blocklists that scan for specific keywords like 'delete' or 'drop table' by encoding them as 'dеlеtе' using Cyrillic 'е' characters.

100k+
Confusable Unicode Characters
03

Internationalized Domain Name (IDN) Homograph Attacks

A classic application of this vector targets the domain name system. Attackers register domains using a mix of scripts—such as Latin, Cyrillic, and Greek—to create a URL that is pixel-perfect to a trusted brand. For instance, the domain 'paypaI.com' uses an uppercase 'I' to mimic a lowercase 'l'. More sophisticated attacks use entirely Cyrillic strings that render identically to Latin script. These domains are then used in phishing campaigns where even vigilant users cannot visually distinguish the fake URL from the real one in the browser bar.

Xudpāy.com
Classic IDN Spoof Example
04

Confusables and Skeleton Matching

The Unicode Consortium maintains a formal list of 'confusable' characters to help defend against these attacks. A skeleton is a normalized representation of a character that strips away stylistic differences, reducing visually similar glyphs to a single prototype. For example, the Latin 'o', Greek 'ο', and Cyrillic 'о' all share the same skeleton. Defensive algorithms use skeleton matching to detect homoglyph attacks by converting all text to its skeletal form before performing string comparisons, effectively neutralizing the visual deception.

06

Mitigation: Canonicalization and Normalization

The primary defense is Unicode normalization (specifically NFKC or NFKD forms) which decomposes and recomposes characters to their canonical equivalents. This process can collapse many homoglyphs into their ASCII base forms. A robust security pipeline should:

  • Apply NFKC normalization to all user inputs before analysis.
  • Strip or flag mixed-script text (e.g., text containing both Latin and Cyrillic characters).
  • Implement skeleton-based comparison against a denylist of dangerous commands.
  • Use perplexity filtering to detect the unnatural character distributions common in obfuscated payloads.
HOMOGLYPH ATTACKS

Frequently Asked Questions

Explore the mechanics, risks, and defenses associated with homoglyph attacks—a visual spoofing technique used to bypass text-based security filters in AI and autonomous systems.

A homoglyph attack is a visual spoofing technique that replaces characters in a malicious string with visually identical or near-identical Unicode equivalents to bypass text-based content filters. The attack exploits the vast character space of the Unicode standard, where multiple distinct code points (such as the Latin 'a' U+0061 and the Cyrillic 'а' U+0430) render identically on screen but are processed as entirely different tokens by a system. In the context of prompt injection defense, an attacker might substitute the letters in a command like DROP TABLE with homoglyphs, allowing the adversarial instruction to slip past pattern-matching sanitizers while the underlying language model interprets the semantic meaning correctly. This technique is particularly dangerous because it targets the gap between human visual verification and machine-level byte comparison, enabling payloads to remain invisible during manual review.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.