ZeroFont Phishing Attack Bypasses Microsoft Office Security Feature

The ZeroFont phishing attack allows phishers to bypass anti-spam controls and ensure their emails are delivered to end users inboxes.

ZeroFont Phishing

Cybercriminals are constantly developing new ways to bypass anti-spam technologies, one of which has been uncovered by security researchers at the cloud security company Avanan.

The technique, termed ZeroFont phishing, allows phishers to get their messages past Microsoft Office 365 protections and delivered to end users’ inboxes.

One of the problems phishers face when attempting to impersonate big name brands, is many spam filters look at the content of messages and check for names such as Microsoft and Apple. When the links supplied in those emails – and the emails themselves – do not come from legitimate domains the messages are flagged and delivered to junk or spam folders rather than inboxes. However, the ZeroFont phishing technique gets around this control in an interesting way.

The campaign detected by Avanan used an email warning that the end user has reached their maximum quota limit for their email. The message was signed as “Office 365” and the user is asked to click a link to upgrade their account.

The end user would therefore be likely to believe that the email had been sent by Microsoft if they did not check the domain from which the email was sent.

Normally, Microsoft would see such an email for what it was – a phishing attempt – as the email was not actually signed by Microsoft and did not use a legitimate Microsoft domain.

In this case that didn’t happen, as the content of the message included text using <span style=”FONT-SIZE: 0px”>. Text coded as zero font would not be displayed to the end user; however, Microsoft would still read the text.

“Microsoft cannot identify this as a spoofing email because it cannot see the word “Microsoft” in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” wrote the researchers.

The message displayed to end users was:

Thanks for taking these additional steps to keep your email safe.

Office 365 – © Microsoft Corporation. All rights reserved.

The actual text that Microsoft would read is detailed below:

zerofont phishing

Author: NetSec Editor