Phishing technique tricks Outlook to display fake AV scans

New ZeroFont technique manipulates Outlook to display fake AV scans.

Cybercriminals are utilizing a new phishing technique by employing zero-point fonts within emails to create an illusion that malicious emails have undergone secure scanning by Microsoft Outlook's security tools.

As reported by Bleeping Computers, the ZeroFont phishing attack method has been used before, first documented by Avanan in 2018. It is a phishing technique that exploits flaws in how AI and natural language processing (NLP) systems in email security platforms analyze text. It involves inserting hidden words or characters in emails by setting the font size to zero, rendering the text invisible to human targets, yet keeping it readable by NLP algorithms.

This attack marks the first time the phishing technique has been of use in this manner. ISC Sans analyst Jan Kopriva reported cautions that this tactic could significantly enhance the success rate of phishing attacks, emphasizing the importance of users being informed about its presence and its real-world application.

ZeroFont attack hiding from Anti-Virus Scans

In a recent encounter with a phishing mail, Kopriva, a user, noticed the malicious actor employing a ZeroFont attack to manipulate message previews on commonly utilized email clients like Microsoft Outlook. Specifically, the email in question displayed a different message in Outlook's email list than in the preview pane.

The objective of this attack is to bypass security filters by inserting concealed harmless terms that blend with suspicious visible content, causing AI systems to misinterpret the content and the outcomes of security assessments.

We can observe from the provided screenshot, where the email listing pane reads "Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM," whereas the beginning of the email in the preview/reading pane displays "Job Offer | Employment Opportunity."

This discrepancy is achieved by leveraging ZeroFont to hide the bogus security scan message at the start of the phishing email, so while it's not visible to the recipient, Outlook still grabs it and displays it as a preview on the email listing pane.

Malicious phishing message. Source: ISC Sans

Zero-font attack hiding antivirus scan message. Source: ISC Sans

The aim is to foster a deceptive perception of authenticity and safety in the recipient. By displaying a fraudulent security scan message, the chances of the recipient opening the message and interacting with its contents increase.

ZeroFont is particularly effective due to Microsoft's heavy reliance on natural language processing to inspect emails and identify text-based cues commonly associated with phishing or fraudulent messages, such as payment requests, specific keywords, and so on.

By including substantial amounts of concealed zero-width text within an email's content, malicious actors are concealing these cues from the Office 365 natural language processing engine. This strategy essentially buries their "bait" amid a multitude of random words, which are invisible to human observers but not to Microsoft's system.

It's possible that Outlook is not the sole email client that previews a message by grabbing the initial portion of an email without verifying the font size's validity. Therefore, users of other email software should also exercise caution and remain vigilant.

REFERENCE

• New ZeroFont phishing tricks Outlook into showing fake AV-scans By Bill Toulas, Bleeping Computer
• ZeroFont Technique Lets Phishing Emails Bypass Office 365 Security Filters By Catalin Cimpanu, Bleeping Computer