A digital criminal emerging from a computer screen and reaching into a handbag to steal a credit card.

ZeroFont Phishing Technique Shows Fake Antivirus Scans In Outlook

ZeroFont is now being used in a new technique by cyber threat actors to deceive Microsoft Outlook users. This method aims to make phishing emails appear as if they have successfully passed antivirus scans.

ISC Sans analyst Jan Kopriva identifies an alarming trend in recent research. He warns that using this strategy might significantly increase the success rate of phishing attacks. Informing and keeping users aware of its accessibility and usage is crucial.

This approach may increase the chance of phishing emails avoiding security measures. Furthermore, it tricks recipients into unknowingly becoming victims of a scam activity.

Phishing emails, primarily Business Email Compromise (BEC) attacks, use social engineering techniques and fraudulent content to get their victims to click on a link, enter credentials, or engage in other risky activities.

Avanan disclosed the ZeroFont attack technique in 2018. It’s a clever phishing approach that takes advantage of vulnerabilities in how AI and natural language processing (NLP) technologies in email security platforms analyse text.

It basically works by inserting hidden words or characters into emails by reducing the font size to zero. This renders the text invisible to the human eye while yet making it transparent to NLP algorithms.

This attack approach aims to fool security filters by combining hidden unnoticed words with suspect visible content, causing the AI’s perception of the material and the results of security tests to be confused.

Avanan issued a warning regarding the ZeroFont method, emphasising its ability to easily circumvent Microsoft’s Office 365 Advanced Threat Protection (ATP), even when emails contained known dangerous phrases. This shows the increasing complexity of cybersecurity attacks.   

ZeroFont Phishing Attack in Outlook

Email applications usually display messages in two side-by-side panes. On the left, the “listing window” displays a list of messages that you have received, sent, or written. Meanwhile, the pane on the right displays the email’s content. The left pane contains information such as the sender’s name, the subject line, and a sample of the email’s text.

Recently, Kopriva came across a new phishing email in which a threat actor has been using the ZeroFont attack to modify message previews.

Popular email apps like Microsoft Outlook were among those impacted. Outlook’s email list displayed a different message than what appeared in the preview window.

Kopriva noticed that the attackers skilfully inserted wording showing message verification within the phishing email. They added the words “Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM” in a tiny zero font size right away before the message text.

Phishing Email Displayed in Outlook
ZeroFont Manipulation in a Malicious Phishing Email Displayed in Outlook (ISC Sans)

Utilising ZeroFont, a trick that hides the bogus security scan message immediately at the beginning of the phishing email, allows for this variation. Consequently, although the recipient cannot see it, Outlook captures the message and displays it as a preview in the email listing window. This clever technique makes the phishing effort appear more convincing and potentially dangerous.

Kopriva said:

It seems that Outlook (and likely other mail user agents) displays any text which is present at the beginning of a message in the listing view, even if it has zero font size, which can unfortunately be misused.

Antivirus Scan Message Hidden Using Zero-Font Technique
Antivirus Scan Message Hidden Using Zero-Font Technique (ISC Sans)

The listing pane shows the subject line plus an additional line of text in place of only the regular email subject line and the opening message content, which would indicate a phishing attack. Users feel secure by the additional claim that the message has passed comprehensive scanning and is now protected by an all-inclusive threat protection service.

All text formatted with “FONT-SIZE: 0px” disappears when the recipient reads the email, leaving only the material that the attacker wants them to see. On the other hand, Microsoft’s filters scan plain text regardless of font size, causing what appears to be a random flow of letters.

Microsoft cannot detect this email as a fake because it cannot identify the term “Microsoft” in the normal form. The ZeroFont attack essentially tailors the formatting of one message to anti-phishing filters and another to end users.

This clever technique allows the email to avoid detection by security measures without the user’s knowledge.

Natural language processing is a critical and effective tool in an effort with email phishing. Among the several techniques, the ZeroFont approach stands out, allowing attackers to deliver one email to security filters and another to the user.

The security expert emphasised that threat actors had already employed this strategy in advanced phishing operations, underscoring the importance of promptly alerting staff members to this emerging threat and providing them with effective training in identifying and responding to fraudulent emails. Taking this proactive approach can help organisations safeguard vital information and establish robust security measures.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts