According to Avanan, the cloud security company that spotted the use of ZeroFont in phishing attacks, cybercriminals send emails that contain text seen differently by the recipient and by the O365 filters. Random text characters or words were added throughout the email, thus preventing the filters from flagging suspicious words or phrases. These were tagged , the HTML code that assigns text a zero font size. The ZeroFont technique allows cybercriminals to present different versions of the email: Email recipients would see a normal-looking email while O365 filters will disregard the font size and read the entire plain text as a random string of characters.
Figure 1. ZeroFont characters in the HTML of a sample email (Image source: Avanan)
ZeroFont is then able to sidestep O365’s natural language processing, which flags emails that, for example, contain words like “Apple” or “Microsoft” but were not sent from legitimate corporate domains. In one sample analyzed, which was a phishing email under the guise of an O365 quota limit notification, the email was not flagged by O365 filters because the word “Microsoft” was not read amidst the random character strings.
Protect Your Network From ZeroFont
Phishing schemes and methods like ZeroFont are not new in the email threat landscape. ZeroFont in particular is an iteration of a technique that uses misspelled words and nonsensical phrases (or “salad words”) in micro font size to bypass spam filters. Trend Micro™ email and cloud security products already protect users and networks from these types of threat through a variety of methods, including email parsing and HTML rendering techniques that detect suspicious modifications employed by attackers, for example, using ZeroFont, and other phishing tactics such as the use of similar font color and background, among others.