ZeroFont phishing email attack- recently cybercriminals are getting creative in their attacks by manipulating font sizes to get around Office 365 anti-phishing filters.
One of the anti-phishing/spoofing detection mechanisms in Office 365 involves natural language processing to identify the content of the messages typically used in malicious emails. This tactic has been named ZeroFont, simply because these tricky emails are using words with a font size of zero to bypass Office 365 protections.
What the ZeroFont email attack essentially does is insert a long string of meaningless text with a font size of zero in the HTML code of an email, in between real text. The zero font text is invisible to the recipient of the email but not to the Office 365 filter.
For example, an email including the words “Apple” or “Microsoft” that are not sent from legitimate domains, or messages referencing user accounts, password resets or financial requests are flagged as malicious. Any emails that suggest banking information, user accounts, password resets, financial requests, etc. are scrutinized for authenticity through Microsoft’s filters. This means attackers have had to get increasingly more creative in their attempts to work around these filters.
You might get an email trying to impersonate your bank. Inside the email, it might say something along lines of “Your account needs to be updated. Please click here to verify your account.” The design of the email and the footer of the email will look almost exactly like an email you might get from your bank. The footer will even say “2018 Your Bank Name. All Rights Reserved.” Everything will look legitimate to you as the end-user. If you click on the link, you will be brought to a webpage that will also look like your banks website and be asked to enter private information and possibly even your bank account number.
The problem is, this email used to the ZeroFont technique to bypass the filters through the manipulation of the HTML code. You’ll see this:
Thanks for taking these additional steps to keep your account safe.
Your Bank Name
© 2018 Your Bank Name. All rights reserved.
While the Office 365 filters see this:
Thfdsjkllkfnnlankfdssds for taking these adfdsdsfditiofdsfsdfsdnal stfdsfsdfseps to keefdsfsdfp your accodsdsfsdfunt safdsfsdfsdfe.
Yofdsfsdfur Bfdsfdsafsdnfsdfsk Nfsdafsdmfsde
© 2018 Ydfdsofsdfsur hghfgBhgfhfghagfhfdhnk Nahfgfghmgfhfge. Agfhfgll rigfhgfghts resgfhfgfgeghfghrbvbcved.
All of the letters in the second example that aren’t in the view the user sees are using the ZeroFont technique. And since Microsoft cannot see the name of your bank in the email, it cannot detect that it is a spoofing email.
What this means for you as a business is you need to be more vigilant than ever to combat these new attacks. There are many additional options outside of Office 365’s protection out there for businesses to utilize that can increase your chances to prevent an attack and filter out spoofing emails.
Talk with a Comportz representative today to learn about these low-cost solutions that can keep you and your business safe.