Scammers using ZeroFont technique to slip phishing emails past Office 365 security filters
Cybercriminals are using a unique technique called 'ZeroFont' to bypass Microsoft's security filters, and deliver spam & phishing emails to Office 365 email accounts.
The technique involves inserting hidden words with a font size of zero that are invisible to the recipient, thus tricking the Microsoft’s Office 365 platform’s natural language processing. While a human will not be able to decipher the zero-width characters, the entire text - including the hidden characters - will be visible to email security software.
According to Avanan researchers, cybercriminals are seeking new ways to trick language analyzers and users beyond typical phishing email lures such as password resets, financial requests, banking information and more.
In one example, an email is designed to impersonate an Office 365 quota limit notification was sent to a user, but was not flagged by Microsoft as a phishing email.
“This email was not flagged by Microsoft is because the hacker inserted random text throughout the email to break up the text strings that would trigger Microsoft's natural language processing,” researchers said. “In some cases, random words are used. These inserted characters are embedded within the HTML code <span style="FONT-SIZE: 0px"> to have a font size of zero, making them invisible to the recipient of the email.”,
Therefore, the email looks normal to the user, while Microsoft’s filters reads a “seemingly random string of characters.”
“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user," researchers said.
While natural language processing is essential to prevent phishing attacks, a technique like ZeroFont demonstrates how easily attackers can bypass these filters with a simple trick.
Avanan notes that the ZeroFont technique is currently being used in the wild alongside other tricks such as Punnycode, Unicode or Hexadecimal Escape Characters.