Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Phishers Use Zero-Width Spaces to Bypass Office 365 Protections

A recently addressed vulnerability in Office 365 allowed attackers to bypass existing phishing protections and deliver malicious messages to victims’ inboxes. 

A recently addressed vulnerability in Office 365 allowed attackers to bypass existing phishing protections and deliver malicious messages to victims’ inboxes. 

The issue, cloud security firm Avanan says, resided in the use of zero-width spaces (ZWSPs) in the middle of malicious URLs within the RAW HTML of the emails. This method breaks the URLs, thus preventing Microsoft’s systems from recognizing them and also preventing Safe Links from successfully protecting users.

What’s more, these zero-width spaces don’t render, meaning that the recipient would not notice the random special characters in the URL. The first wave of emails abusing this vulnerability was observed on November 10, and Microsoft addressed the issue on January 9, Avanan’s security researchers say. 

The vulnerability apparently rendered all Office 365 users vulnerable to phishing attacks, even those who were using Microsoft’s Office 365 Advanced Threat Protection. Both URL reputation check and Safe Links protections are bypassed in the attack. 

“The vulnerability was discovered when we noticed a large number of hackers using zero-width spaces (ZWSPs) to obfuscate links in phishing emails to Office 365, hiding the phishing URL from Office 365 Security and Office 365 ATP,” the security researchers say.

ZWSPs, Avanan explains, are characters that render to spaces of zero-width, and can be looked at as “empty space” characters. There are 5 ZWSP entities, namely ​ (Zero-Width Space), ‌ (Zero-Width Non-Joiner), ‍ (Zero-Width Joiner),  (Zero-Width No-Break Space), and 0 (Full-Width Digit Zero).

Although in their raw HTML form the ZWSPs appear like “a mishmash of numbers and special characters randomly inserted between the letters a word or a URL,” they are invisible when rendered in the browser, thus making the URL to appear as standard. 

ZWSPs, the researchers explain, are part of formatting the Internet every day, being used for fingerprinting articles and documents, formatting foreign languages, and breaking long words at the end of a line and continuing them on the next line. 

As part of the observed phishing attacks, “the Zero-Width Non-Joiner (‌) is added to the middle of a malicious URL within the RAW HTML of an email,” Avanan notes. Thus, the email processing system would not recognize the URL as legitimate and would fail to apply protections. 

As soon as the victim clicks on the link in the email, however, they are taken to a credential harvesting phishing site mimicking that of Chase Bank.

The new attack, which Avanan refers to as Z-WASP, is an evolution of previously observed attempts to bypass Office 365 security either by splitting the URL into base and href tags (baseStriker) or by adding characters with font-size 0 (the ZeroFont attack).

Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits

Related: Phishers Use ‘ZeroFont’ Technique to Bypass Office 365 Protections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.