New Zerofont Phishing Tricks Outlook Into Showing Fake AV-Scans

Cyber Security Threat Summary:
Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.

“The ZeroFont attack method, first documented by Avanan in 2018, is a phishing technique that exploits flaws in how AI and natural language processing (NLP) systems in email security platforms analyze text. It involves inserting hidden words or characters in emails by setting the font size to zero, rendering the text invisible to human targets, yet keeping it readable by NLP algorithms. This attack aims to evade security filters by inserting invisible benign terms that mix with suspicious visible content, skewing AI's interpretation of the content and the result of security checks. In its 2018 report, Avanan warned that ZeroFont bypassed Microsoft's Office 365 Advanced Threat Protection (ATP) even when the emails contained known malicious keywords” (BleepingComputer, 2023).

In a recent phishing email observed by Kopriva, a malicious actor used the ZeroFont attack to manipulate how email previews appear in commonly used email clients like Microsoft Outlook. Specifically, this email showed different content in the email list view compared to the preview pane. In the email list, it falsely displayed "Scanned and secured by IscAdvanced Threat protection (APT): 9/22/2023T6:42 AM," while in the preview pane, it presented a fake "Job Offer | Employment Opportunity." This manipulation was achieved by exploiting ZeroFont to hide the deceptive security scan message within the phishing email's content. Although the recipient couldn't see it, Outlook still extracted and displayed it as a preview in the email list view.

Security Officer Comments:
The objective is to create a misleading impression of credibility and safety for the recipient. By showcasing a fraudulent security scan message, the chances of the recipient opening the email and interacting with its contents increase. It's worth noting that Outlook might not be the sole email client that extracts the initial part of an email for preview purposes without verifying its font size. Therefore, users of other software should also exercise caution and remain vigilant

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.