Security Experts:

Phishers Use 'ZeroFont' Technique to Bypass Office 365 Protections

Cybercriminals have been leveraging a technique that involves manipulating font sizes in an effort to increase the chances of their phishing emails bypassing the protections implemented by Microsoft in Office 365.

According to cloud security company Avanan, one of the phishing protections in Office 365 involves natural language processing in order to identify text typically used in fraudulent or malicious emails.

For instance, researchers say the system flags emails mentioning “Apple” or “Microsoft” but not coming from legitimate domains, or messages referencing user accounts, password resets or financial requests.

In recent attacks spotted by Avanan, cybercriminals sent out phishing emails in which some of the content is set to be displayed with zero-size font using <span style="FONT-SIZE: 0px">. The security firm has dubbed this technique ZeroFont.

The email looks normal to the user, but Microsoft’s filters read the entire text, even if it’s displayed with a font size of “0”. The user sees this:

ZeroFont phishing email

But Microsoft’s systems will analyze the following text, which includes strings that are invisible to the user due to the "FONT-SIZE: 0px" attribute:

ZeroFont phishing email

“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.

Last month, Avanan reported that cybercriminals had been splitting malicious URLs in an effort to bypass the Safe Links security feature in Office 365.

Related: To Stop Phishing, Understand the Long Tail of Risk

Related: Mobile Phishing Attacks Up 85 Percent Annually

Related: Phishing Pages Hidden in "well-known" Directory

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.