Different clients have different attenuations, but the common denominator is that they usually prevent an attacker from mixing different alphabet homographs by falling back into punycode if multiple alphabets are used:
Chrome versions 51 and above use an algorithm similar to the one used by Firefox. Previous versions display an IDN only if all its characters belong to one (and only one) of the user's preferred languages.
The approach of Safari is to make problematic character sets in the form Punycode. This can be changed by changing the settings of the Mac OS X system files.
Versions 22 and later of Mozilla Firefox display IDNs if the TLD prevents homograph attacks by limiting the characters that can be used in domain names or labels that do not mix scripts of different languages. Otherwise, the IDNs are displayed in Punycode.
IDN homograph attack – Wikipedia
To talk to your specific example of
aa.com In Cyrillic, here is the Google Chrome rule that detects this and displays punycode. Other browsers generally use similar rules:
- If a host name belongs to a non-IDN TLD (top-level domain) such as "com", "net" or "uk" and all the letters of a given label belong to a set of Cyrillic letters resembling Latin. letters (eg Cyrillic in small letters IE – е), show punycode.
IDN in Google Chrome