New twist on ZeroFont phishing technique spotted in the wild

Cybercriminals are leveraging the ZeroFont technique to trick users into trusting phishing emails, SANS ISC handler Jan Kopriva has warned.

The ZeroFont phishing attack

Documented and named by Avanan in 2018, the ZeroFont technique involves using text written in font size “0” throughout the email body.

In that campaign, it was used to bypass Microsoft’s NLP-based anti-phishing protections by breaking up the text strings that would otherwise trigger them.

A new purpose

Email clients generally display messages in two adjacent windows: the left one (listing window) showing a list of received, sent or drafted messages and the right showing the email body. The left widow also displays the name of the sender, the subject and the beginning of the text contained in the email.

Kopriva received a phishing-email that used the ZeroFont phishing technique to make it seem like the email has been scanned by anti-spam email filters.

But the text indicating that (Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM) was only displayed in the listing pane, because the same text in the email message was written at the beginning of it, in font size “0”, and thus invisible to the recipient.


The phishing email as displayed in Outlook (Source: SANS ISC)

“It seems that Outlook (and likely other [Mail User Agents]) displays any text which is present at the beginning of a message in the listing view, even if it has zero font size, which can unfortunately be (mis)used,” said Kopriva.

“The ‘invisible’ text in the e-mail which was delivered to our handler e-mail address (…) did not serve the usual purpose – it wasn’t intended to hinder automated scanners from identifying the message as potentially fraudulent/malicious, but instead to make the message appear more trustworthy to the recipient.”

Some phishers are obviously using the technique to try to create more effective phishing campaigns so, according to Kopriva, “it might not be a bad idea to mention it in any phishing-oriented security awareness courses.”

Don't miss