It’s been uncovered that phishing emails may go through undetected by Office 365 security. A tactic used by cybercriminals manipulates font sizes which disrupts the Office 365 protection strategy and lets this happen.

Office 365 uses natural language processing to detect phishing emails and to help block potential phishing attacks. The email’s content is scanned for indications of fraudulent information through interpreting the text in the body of the email and associating it with the sender to identify any anomalies. However, attackers have found a simple way around this by leveraging a technique dubbed ‘ZeroFont’ that manipulates font size.

How it works

  • The attacker uses social engineering to gather the information required to orchestrate the attack against the Office 365 user
  • Using this information, they create a personalised message to look genuine
  • Using ‘ZeroFont’ they manipulate the email to trick Office 365 security
  • The email is sent to Office 365 servers but bypasses Microsoft’s natural language processing
  • The user receives the genuine-looking email due to the attacker’s manipulation of the email so that it correlates with the sender and recipient

‘ZeroFont’ attack

The criminals set the text to zero-size and insert words within the email content that are hidden to the user (the email looks normal to the user when viewed) but read by the Office 365 algorithm. ‘ZeroFont’ allows one email to be displayed to the user and another to the Microsoft anti-phishing filters. Neither detected as out of the ordinary and not flagged as fraudulent or malicious by the service.

This clever tactic lets attackers hide any indicators of phishing attempts from the natural language processing algorithm of Office 365, tricking the service into allowing the phishing email through.

Solutions and services that use natural language processing to speed up the detection of phishing emails are shown as ineffective against the ‘ZeroFont’ attack. Cybercriminals can easily transform the indicators that are used for detecting malicious emails into text that is not viewable to the naked eye and not detectable as malicious when read by the natural processing engine.

This weakness in the Office 365 algorithm could potentially put users at risk of malicious activities (ransomware, malware and SPAM) if the phishing emails are allowed to reach their target.

The Hacker News: