[German]Cyber criminals are currently using a well-known zero-font bypassing technology to trick Office 365’s Microsoft security filters on emails and smuggle spam onto systems.
The zero-font bypassing trick
This approach has actually been known for decades. The ZeroFont technique is based on the insertion of zero wide characters in normal text. While these ‘zero pixel wide characters’ are invisible to the human reader, software can of read and parse the entire text, including characters with a zero width. Here is a corresponding HTML tag with the corresponding style attribute.
< span style="FONT-SIZE: 0px" >This is how you hide text with the ZeroFont technique < /span >
The trick is to use a prepared text to make the email security system treat the message as a huge block of text that is safe. At the same time, the human recipient of the phishing e-mail shall see the desired content with the links to access the phishing pages.
Actually, there is no chance of this, since the ZeroFont technology has been known for years and actually every reasonable e-mail program has appropriate protection mechanisms to detect these attempts. Such emails are then marked as suspicious as soon as they contain zerowidth text.
Office 365 fails in phishing detection
Thanks to the fact that Microsoft Office 365 is now also delivered ‘as a service’ with constant ‘improvements’, such old knowledge can occasionally be thrown overboard as obsolete. This is the only way to explain what the security researchers at Avanan, a company specializing in cloud security, have found out.
According to security researchers, Office 3645 no longer identifies emails with ZeroFont technology as malicious. The reason for this failure is mainly Microsoft’s trust or belief in natural speech processing. The emails are scanned using this approach to determine whether the content of a message contains text-based indicators that are often found in phishing or fraud emails. These could be, for example, payment requests, different keywords and more.
With the ZeroFont technique, however, it is exactly this natural language processing that can be tricked out. This is done by inserting large amounts of hidden text without width into the body of an e-mail. In this way, the scammers hide these indicators of phishing attempts from the natural speech processing algorithms of Office 365. Then natural language evaluation is misled by texts that are invisible to the human eye. A simple filter that recognizes ZeroFont technology by parsing the text attributes and recognizes the e-mail as insecure seems too trivial for Microsoft.
According to Avanan’s security researchers, the ZeroFont technique is now used in practice (in the wild) in combination with other tricks such as using punycode URLs, Unicode characters or hexadecimal escape characters. Last month, Avanan security researchers also discovered that Office 365 did not discover links to phishing sites that were split into two parts with the < base > HTML tag. (via Bleeping Computer)