ZeroFont Phishing Attack Sidesteps Microsoft Office Safety Feature

June 23, 2018


The ZeroFont phishing attack lets phishers to sidestep anti-spam controls and make sure their electronic mails are sent to end users inboxes.

ZeroFont Phishing

Cybercriminals are continuously creating new methods to sidestep anti-spam technologies, one of which has been found by safety scientists at the cloud safety business Avanan.

The method, called ZeroFont phishing, lets phishers to get their messages past Microsoft Office 365 defenses and transferred to end users’ inboxes.

One of the difficulties phishers face when trying to mimic big name brands, is several spam sieves look at the subject matter of messages and check for names such as Apple and Microsoft. When the links provided in those electronic mails – and the electronic mails themselves – don’t come from genuine domains the messages are marked and transferred to spam or junk folders instead of inboxes. Nevertheless, the ZeroFont phishing method gets around this control in an exciting way.

The promotion noticed by Avanan used an electronic mail alerting that the end user has reached their maximum allocation limit for their electronic mail. The message was initialed as “Office 365” and the user is requested to click a link to upgrade their account.

The end user would, therefore, be likely to trust that the electronic mail had been sent by Microsoft if they didn’t verify the domain from which the electronic mail was sent.

Usually, Microsoft would see such an electronic mail for what it was – a phishing attempt – because the electronic mail was not actually initialed by Microsoft and didn’t use a real Microsoft domain.

In this instance that didn’t occur, since the subject matter of the message incorporated text using <span style=”FONT-SIZE: 0px”>. Text coded as zero font would not be shown to the end user; nevertheless, Microsoft would still read the text.

“Microsoft can’t recognize this as a deceiving electronic mail since it can’t see the word “Microsoft” in the un-emulated version. Basically, the ZeroFont attack makes it possible to show one message to the anti-phishing sieves and another to the end user,” wrote the scientists.

The message shown to end users was:

Thanks for taking these additional steps to keep your electronic mail protected.

Office 365 – © Microsoft Corporation. All rights reserved.