Email Phishers Using an Easy Method to Sidestep MS Office 365 Protection

June 21, 2018


Safety scientists have been alerting regarding an easy method that cyber offenders and electronic mail scammers are using in the wild to sidestep most AI-powered phishing finding ways applied by extensively used electronic mail facilities and web safety scanners.

Called ZeroFont, the method involves introducing concealed words with a font size of zero inside the actual subject matter of a phishing electronic mail, preserving its visual appearance same, however at the same time, making it non-malicious in the eyes of electronic mail safety scanners.

As per cloud safety business Avanan, Microsoft Office 365 also fails to identify such electronic mails as malevolent created using ZeroFont method.

Similar to Microsoft Office 365, several electronic mails and web safety facilities use natural language processing and other man-made intelligence-based machine learning methods to find malevolent or phishing electronic mails quicker.

The technology assists safety businesses to explore, know and get meaning from unstructured text embedded in an electronic mail or web page by finding text-based indicators, similar to electronic mail cheats imitating a popular business, expressions used to request for payments or password resets, and more.

Nevertheless, by adding accidental zero font-size characters between the indicator texts existing in a phishing electronic mail, cybercriminals can change these indicators into a formless garbage text, concealing them from the normal language processing engine.

For that reason, the electronic mail looks usual to a human eye, however, Microsoft reads the entire garbage text, even if some words are shown with a font size of “0.”

“Microsoft can’t recognize this as a deceiving electronic mail since it can’t see the word ‘Microsoft’ in the un-emulated version,” reads Avanan’s blog post. “Basically, the ZeroFont attack makes it possible to show one message to the anti-phishing filters and another to the end user.”


Besides the ZeroFont method, Avanan also found hackers using other similar techniques that involve Unicode, Punycode, or Hexadecimal Escape Characters in their phishing attacks.

Last month, scientists from the same business informed that cybercriminals had been splitting up the malevolent URL in a manner that the Safe Links safety feature in Office 365 fails to recognize and substitute the partial hyperlink, ultimately redirecting sufferers to the phishing site.