Security News ZeroFont Phishing Attack to Bypass Spam Filters

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,454
Published September 26, 2023
Hackers are utilizing a new trick of using zero-point fonts in emails to make malicious emails appear as safely scanned by security tools in Microsoft Outlook.

Although the ZeroFont phishing technique has been used in the past, this is the first time it has been documented as used in this way.

In a new report by ISC Sans analyst Jan Kopriva, the researcher warns that this trick could make a massive difference in the effectiveness of phishing operations, and users should be aware of its existence and use in the wild.
Read more: New ZeroFont phishing tricks Outlook into showing fake AV-scans

Key Points
  • The zero-font tactic uses text people cannot read to evade spam filters and trick email software. It can bypass security measures and deceive recipients.
  • It can trick spam detection by adding junk text to clog up scans. Scammers can impersonate legitimate entities without triggering alarms.
  • Zero-font text can create fake antivirus scan results in email previews, giving a false sense of security. Stay vigilant and be cautious of suspicious emails.
Source: What Is a Zero-Font Tactic in Email Phishing Scams?

Published June 13, 2018
An email is sent to a customer attempting to impersonate an Office 365 quota limit notification. The message looks like a common administrative service message phishing attack that would normally be caught, but, in this case, it was not flagged by Microsoft as a phishing email.

This email was not flagged by Microsoft is because the hacker inserted random text throughout the email to break up the text strings that would trigger Microsoft's natural language processing. In some cases, random words are used. These inserted characters are embedded within the HTML code <span style="FONT-SIZE: 0px"> to have a font size of zero, making them invisible to the recipient of the email. Below is a screenshot of the raw HTML of the email content, showing the inserted ZeroFont characters.

ZeroFont HTML
Source: ZeroFont Phishing: Font Manipulation to Pass Microsoft Security
 

nicolaasjan

Level 4
Verified
Well-known
May 29, 2023
176
So, this is what I get when copying the text from the mail and paste it in a text editor: :eek:
Klingon is easier to understand. :p

No wonder this can't be filtered.

Would a spam filter using AI be able to recognize that these are scrambled words? :unsure:
After all there are no languages using these 'words' and especially not with so many characters per word.

So, this is what I get when copying the text from the mail and paste it in a text editor: :eek:
Klingon is easier to understand. :p

No wonder this can't be filtered.
@Moderator, why have you deleted my code block?
There was no PII in it at all. :unsure:
 

nicolaasjan

Level 4
Verified
Well-known
May 29, 2023
176
Since the moderator deleted my code block from the above post, I'll post it again as an image :) :

Screenshot_20240318-7.png

Again, it's only a copy of the text in the McAfee phishing spam show above, with the link at the bottom omitted.
 

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,805
Would a spam filter using AI be able to recognize that these are scrambled words? :unsure:
After all there are no languages using these 'words' and especially not with so many characters per word.
There are algorithms that are able to recognise gibberish.
 
  • Hundred Points
Reactions: nicolaasjan

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top