[BreachExchange] ZeroFont phishing attack can bypass Office 365 protections

Destry Winant destry at riskbasedsecurity.com
Wed Jun 20 23:30:59 EDT 2018


https://securityaffairs.co/wordpress/73708/cyber-crime/zerofont-phishing-attack.html

ZeroFont phishing attack – Crooks are using a new technique that
involves manipulating font sizes to bypass Office 365 protections.

According to cloud security firm Avanan, one of the detection
mechanisms in Office 365 involves natural language processing to
identify the content of the messages typically used in malicious
emails.

For example, an email including the words “Apple” or “Microsoft” that
are not sent from legitimate domains, or messages referencing user
accounts, password resets or financial requests are flagged as
malicious.

Experts from Avanan discovered phishing campaigns using emails in
which some of the content is set to be displayed with zero-size font
using <span style=”FONT-SIZE: 0px”>, for this reason, they dubbed the
technique ZeroFont.

“Recently, we have been seeing a number of phishing attacks using a
simple strategy to get their blatant email spoofs past Microsoft’s
phishing scans. The tactic, which we are calling ZeroFont, involves
inserting hidden words with a font size of zero that are invisible to
the recipient in order to fool Microsoft’s natural language
processing.” reads the analysis published by Avanan.

The email appears to the recipient as normal, but Microsoft’s filters
are able to analyze also the text having a font size of “0”.

Summarizing, while the user sees a classic phishing content like this:

Microsoft’s filter will see the overall text including words written
with “FONT-SIZE: 0px” attribute. This text, of course, doesn’t appear
as a malicious content:

“Microsoft can not identify this as a spoofing email because it cannot
see the word ‘Microsoft’ in the un-emulated version. Essentially, the
ZeroFont attack makes it possible to display one message to the
anti-phishing filters and another to the end user,” Avanan’s Yoav
Nathaniel said in a blog post.

Natural language processing is essential to prevent phishing attacks,
but a technique like ZeroFont demonstrated that attackers can bypass
filters with a trick.

In the past, other techniques were devised to bypass anti-phishing
filters, for example,  the Punycode phishing attack, the baseStriker
phishing attack, the Unicode phishing attack, and the Hexadecimal
Escape Characters phishing attack.


More information about the BreachExchange mailing list