Office 365 users targeted by phishers employing simple HTML tricks

Get a copy of the upcoming book "Secure Operations Technology"

Phishers are using a simple but effective trick to fool Microsoft’s NLP-based anti-phishing protections and Office 365 users into entering their login credentials into spoofed login pages.

The phishing emails landing in targets’ inboxes warn potential victims that their email account has reached a “maximum quota limit” and that they should upgrade their account. To the casual observer, the emails appear to be “signed” by Microsoft.

Office 365 phishing tricks

The fact that they are not sent from an official Microsoft email address should trigger Microsoft’s protections, but the phishers have found a way to trick the phishing scanners: they use random text throughout the email to break up the text strings that would trigger the natural language processing and set the text’s font size to zero:

Office 365 phishing tricks

So, while the victims sees the email signature saying Microsoft, Microsoft’s cloud email service sees a seemingly random (and definitely not suspicious) string of characters.

Avanan researcher Yoav Nathaniel pointed out the technique, which they dubbed ZeroFont, isn’t new. It was used in the past to bypass spam filters, but is now seldom seen anymore.

The company has also recently spotted phishers splitting and disguising malicious links in emails by using the URL tag, and the trick fools email filters because they are not handling the HTML code correctly.