How authors of scam emails bypassing Microsoft Office 365 phishing protection

For most fraudulent emails, most email providers use machine readers. If it finds suspicious text, such as asking for a password reset, sending a payment, or attempting to mimic a known business, the e-mail is marked as fraudulent. The authors of these emails use a technique called Dubbed ZeroFont, which tries to deceive detection. And they’re succesfull.

How does it work? The email author writes zero-size characters into the text. These are invisible to the user, but automatic detection does not work with the visual form of the text, it uses the source code of the email. For example, the user sees the text “© 2018 Microsoft Corporation,” but there are other words in the source code (see figure below). So the recipient of the email see the “signed” text, which would (if the email came from a different address than Microsoft) have the machine evaluated as spam, but because the source code contains another text that is not “harmful”, it considers the email to be legitimate.

Fraudulent e-mail detection systems developers are constantly improving detection mechanisms, but attackers are usually (at least) one step ahead. Some systems have learned to detect such a way of camouflage, but they mostly work with existing dictionaries – they compare the text with common words. If the phishing e-mail writer inserts such invisible text that does not contain existing words, he / she can get around this protection again.

Always pay attention to the address (not the name) from which emails with the request of an action come from.

Source: Avanan


Jmenuji se Milan Půlkrábek, pamatuji si počítače bez internetu, Internet bez Google a mobilní komunikaci bez šifrování. Mám za sebou více než dvacet let profesionální praxe v IT, přednáším a píšu články o IT bezpečnosti, kryptoměnách a nových technologiích. Od roku 2014 jsem součástí nezikové organizace Paralelní Polis v Praze.