According to Avanan, the cloud security company that spotted the use of ZeroFont in phishing attacks, cybercriminals send emails that contain text seen differently by the recipient and by the O365 filters. Random text characters or words were added throughout the email, thus preventing the filters from flagging suspicious words or phrases. These were tagged , the HTML code that assigns text a zero font size. The ZeroFont technique allows cybercriminals to present different versions of the email: Email recipients would see a normal-looking email while O365 filters will disregard the font size and read the entire plain text as a random string of characters.

Figure 1. ZeroFont characters in the HTML of a sample email (Image source: Avanan)
ZeroFont is then able to sidestep O365’s natural language processing, which flags emails that, for example, contain words like “Apple” or “Microsoft” but were not sent from legitimate corporate domains. In one sample analyzed, which was a phishing email under the guise of an O365 quota limit notification, the email was not flagged by O365 filters because the word “Microsoft” was not read amidst the random character strings.
Protect Your Network From ZeroFont
Phishing schemes and methods like ZeroFont are not new in the email threat landscape. ZeroFont in particular is an iteration of a technique that uses misspelled words and nonsensical phrases (or “salad words”) in micro font size to bypass spam filters. Trend Micro™ email and cloud security products already protect users and networks from these types of threat through a variety of methods, including email parsing and HTML rendering techniques that detect suspicious modifications employed by attackers, for example, using ZeroFont, and other phishing tactics such as the use of similar font color and background, among others.
The artificial intelligence- and machine learning-powered Trend Micro™ Cloud App Security™ solution, an advanced security product that protects Microsoft® Office 365™ Exchange™ Online, OneDrive® for Business, and SharePoint® Online platforms, managed to block 3.4 million high-risk email threats in 2017 — apart from the threat scans of O365 using its own built-in security.
Cloud App Security, as well as the Trend Micro™ ScanMail™ Suite for Microsoft® Exchange™ solution, features Writing Style DNA, a new AI technology that formulates the “DNA” of a legitimate email user’s writing style based on past written emails and crossmatches it to suspected forgeries. In addition to detecting and blocking various types of phishing emails, Writing Style DNA is effective in protecting networks against business email compromise (BEC) scams.
With advanced security solutions in place, following best practices for mitigating email threats go a long way in effectively closing security gaps.
Credit source: https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/phishing-emails-sidestep-microsoft-office-365-filters-using-zerofont
For more information on how we can help you increase the defence against these attacks, please email sales@twenty-four.it.