LTS Secure Warning: ZeroFont phishing emails bypass office 365 protection
Avanan Security researchers say cybercriminals have found a simple way to bypass the security scanners. It has been warned about a phishing technique and email scammers that are utilised by cyber criminals to bypass most AI-powered phishing detection mechanisms.
Dubbed ZeroFont is the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners. According to Avanan report, Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique.
Technical Details
Safe Links, offered as part of Microsoft’s Office 365 Advanced Threat Protection (ATP) solution, is designed to protect organizations against malicious links delivered through emails and documents. Safe Links checks the original URL to see if it has been blacklisted (by Microsoft or the ATP customer) or if it points to malware. If a malicious element is detected, the original link is replaced and users are alerted when they click on it.
As per Avanan report, cybercriminals have found a simple way to bypass this security feature by using a <base> tag in the HTML header – basically splitting the malicious URL. Using this method, Safe Links only checks the base domain and ignores the rest – the link is not replaced and the user is allowed to access the phishing site.
The attack method, which Avanan has dubbed “baseStriker,” works against the Outlook clients, including the web-based, mobile and desktop applications, which support the <base> header tag. Gmail is not impacted and some security solutions, such as the one provided by Mime cast, protect users against these attacks.
Impact
While Avanan has only seen this method being exploited in phishing attacks, they believe it can also be leveraged to deliver ransomware and other types of malware.
According to Avanan research report, It was found that “The FROM address is customized on a per-email basis to look like the email is an internal one. The FROM: takes the form of ‘targetcompany.com <name@realdomain.com>’ so the user will see ‘targetcompany.com’ as the name, often fooling the user into thinking it is an internal email address.
“The SUBJECT is customized on a per-email basis to seem like the message is an internal one. The SUBJECT is of the form ‘realemailaddress@targetcompany.com has sent you a document’,” he added. “The email includes the one or more logos including Office365 or DocuSign or other document sharing service as well as the standard boilerplate text that would be expected at the bottom of such an email. The emails are well-crafted with few or no spelling mistakes.”
Microsoft has been made aware of these attacks and the company has launched an investigation.
Recommended Actions
If you have fallen for this scam, you should immediately tell your company’s administrator and change your Office 365 password. Your administrator should also confirm that no 3rd party apps have been given access to your account while the attackers had access to it.
Avanan has released a security advisory about ZeroFont Phishing on June 13, 2018.