Five Techniques to Bypass Office 365 Protections Used in Real Phishing Campaigns

In the last couple of years, crooks devised several techniques to bypass anti-phishing filters, let’s analyze them to understand the way threat actors used them to bypass Office 365 protections.

According to cloud security firm Avanan, Cybercriminals are using a new technique that involves manipulating font sizes to bypass Office 365 protections.

One of the detection mechanisms implemented by Microsoft in Office 365 leverages the natural language processing for the identification of the content of the email messages associated with malicious campaigns.

For example, an email including the words “Apple” or “Microsoft” that are not sent from legitimate domains, or messages referencing user accounts, password resets or financial requests are flagged as malicious.

The researchers from Avanan have recently discovered phishing campaigns using emails in which some of the content is set to be displayed with zero-size font using <span style=” FONT-SIZE: 0px”>, for this reason, they dubbed the technique ZeroFont.

“Recently, we have been seeing a number of phishing attacks using a simple strategy to get their blatant email spoofs past Microsoft’s phishing scans. The tactic, which we are calling ZeroFont, involves inserting hidden words with a font size of zero that are invisible to the recipient in order to fool Microsoft’s natural language processing,” reads the analysis published by Avanan.

The content of the email is composed to be a phishing message, but Microsoft’s filters are not able to detect it because the attackers have introduced a font size text that alters the text making it harmless to the security mechanisms.

Figure 1 – FontZero email

Summarizing, while the user sees a classic phishing content like this:


Microsoft’s filter will see the overall text including words written with “FONT-SIZE: 0px” attribute. This text, of course, doesn’t appear as a malicious content if analyzed with natural language processing:

“Microsoft can not identify this as a spoofing email because (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/fM2xf8629QY/