Phishing Emails Sidestep Microsoft Office 365 Filters Using ZeroFont

An old tactic is being used by cybercriminals to bypass Microsoft Office 365 (O365) filters for phishing emails. The technique, called ZeroFont, involves the manipulation of text font sizes to trick O365’s natural language processing, a tool that identifies malicious emails by checking for text elements commonly used by fraudsters.

According to Avanan, the cloud security company that spotted the use of ZeroFont in phishing attacks, cybercriminals send emails that contain text seen differently by the recipient and by the O365 filters. Random text characters or words were added throughout the email, thus preventing the filters from flagging suspicious words or phrases. These were tagged , the HTML code that assigns text a zero font size. The ZeroFont technique allows cybercriminals to present different versions of the email: Email recipients would see a normal-looking email while O365 filters will disregard the font size and read the entire plain text as a random string of characters.

Figure 1. ZeroFont characters in the HTML of a sample email (Image source: Avanan)

ZeroFont is then able to sidestep O365’s natural language processing, which flags emails that, for example, contain words like “Apple” or “Microsoft” but were not sent from legitimate corporate domains. In one sample analyzed, which was a phishing email under the guise of an O365 quota limit notification, the email was not flagged by O365 filters because the word “Microsoft” was not read amidst the random character strings.

Protect Your Network From ZeroFont

Phishing schemes and methods like ZeroFont are not new in the email threat landscape. ZeroFont in particular is an iteration of a technique that uses misspelled words and nonsensical phrases (or “salad words”) in micro font size to bypass spam filters. Trend Micro™ email and cloud security products already protect users and networks from these types of threat through a variety of methods, including email parsing and HTML rendering techniques that detect suspicious modifications employed by attackers, for example, using ZeroFont, and other phishing tactics such as the use of similar font color and background, among others.

The artificial intelligence- and machine learning-powered Trend Micro™ Cloud App Security™ solution, an advanced security product that protects Microsoft® Office 365™ Exchange™ Online, OneDrive® for Business, and SharePoint® Online platforms, managed to block 3.4 million high-risk email threats in 2017 — apart from the threat scans of O365 using its own built-in security.

Cloud App Security, as well as the Trend Micro™ ScanMail™ Suite for Microsoft® Exchange™ solution, features Writing Style DNA, a new AI technology that formulates the “DNA” of a legitimate email user’s writing style based on past written emails and crossmatches it to suspected forgeries. In addition to detecting and blocking various types of phishing emails, Writing Style DNA is effective in protecting networks against business email compromise (BEC) scams.

With advanced security solutions in place, following best practices for mitigating email threats go a long way in effectively closing security gaps.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.