Hackers are using “ZeroFont” technology to bypass the Office 365 security mechanism for phishing

Last month, security researchers revealed that some hackers had discovered a new technology that can bypass the Microsoft Office 365 security mechanism and jump to phishing sites. This technology is called “BaseStriker,” and anyone who uses Office 365 under any configuration is vulnerable to attacks.

Last week, Avanan, an Israeli cloud security company, brought us another massive news similar to it. Its security researchers found that some cybercriminals are using another new technology that can bypass most of the artificial intelligence phishing detection mechanisms implemented by widely used email services and network security scanners.

This new technology is named “ZeroFont,” and it involves inserting hidden words with a font size of zero in the actual content of phishing emails, which are invisible to the recipient. At the same time, these e-mails also fooled Microsoft’s natural language processing.

To stop phishing emails, Microsoft uses natural language processing to scan the contents of emails for signs of counterfeiting or fraud. For example, if the email contains the text “© 2018 Apple Corporation. All rights reserved” but the email is not from apple.com, it is marked fraudulent.

Microsoft uses natural language processing to try to interpret the context or intent of the text and associate it with the sender. Emails such as suggested bank information, user accounts, password resets, financial requests, etc. are carefully checked to ensure authenticity.

As Microsoft’s filters are getting better at reading e-mail, attackers are looking for new ways to deceive the language analyzer before deceiving the end user. In ZeroFont, they found a way to show the Microsoft filter different text than the end user sees.

There are many malicious email samples produced using ZeroFont technology. Here we see that this is typical. The sender pretends to be from Microsoft Office 365 and claims that the recipient’s e-mail account has reached the maximum limit. If you want to continue using the account, you need to click on a link to upgrade.

You can see that “© 2018 Microsoft Corporation. All rights reserved” is displayed at the bottom of the body of the e-mail and is not listed as a phishing e-mail by Microsoft.

Microsoft did not mark this email because hackers inserted random text throughout the email to disassemble text strings that could trigger Microsoft’s natural language processing. In some cases, use random words. These added characters are embedded in the HTML code <span style=”FONT-SIZE: 0px”> with a font size of zero so that they are not visible to the recipient of the email. The following is an original HTML screenshot of the email content showing the inserted ZeroFont characters.

When the recipient reads the e-mail, all text with “FONT-SIZE: 0px” disappears, leaving only the text that the attacker wants the recipient to see. The HTML mentioned above is to the user like this:

On the other hand, because Microsoft’s filters read plain text regardless of the font size, what they see appears to be a string of random characters:

Microsoft Natural Language Processing cannot identify it as fraudulent e-mail because it does not see the word “Microsoft.” Essentially, ZeroFont’s success lies in the fact that email filters and end-users see something completely different.

Source, Image: avanan