Menace actors are using an present strategy of zero-point font obfuscation in a brand new solution to idiot Microsoft Outlook customers into believing phishing emails have efficiently been vetted by antivirus scans.
The method may enhance the chance that phishing emails will slip previous not solely safety protections, but additionally trick recipients into falling for scams.
SANS Web Storm Middle analyst Jan Kopriva got here throughout a phishing e-mail that used textual content written in a font with zero-pixel measurement — an obfuscation method first documented by researchers at Avanana Examine Level firm, in 2018 and dubbed ZeroFont Phishing — getting used “in quite a novel way,” he wrote.
Attackers have lengthy embedded textual content with zero font measurement in phishing emails to interrupt up textual content written in a standard, seen solution to make it more durable for automated email scanning systems just like the one utilized by Outlook to detect suspicious messages. Nonetheless, the ZeroFont method noticed by Kopriva had an altogether completely different intent.
“It wasn’t intended to hinder automated scanners from identifying the message as potentially fraudulent/malicious, but instead to make the message appear more trustworthy to the recipient,” he wrote in his publish.
The method alters the textual content that usually can be proven within the itemizing pane of Outlook — which seems to the left, adjoining to the physique of messages and provides customers clues to what’s within the message, defined Kopriva, additionally with Czech Republic’s Nettles Consulting.
Fairly than show merely the standard e-mail topic line and starting of the message textual content that will have alerted the person to a phishing rip-off, the textual content within the itemizing pane displayed the topic line — after which one other line of textual content indicating that the message had been scanned and secured by a risk safety service.
Manipulating ZeroFont
Embedding tiny-sized textual content within the zero- or one-point font vary — one other method found by Avanan dubbed “One Font” — is considered one of some ways risk actors have devised to create extra evasively refined phishing scams. The tiny font measurement breaks email-scanning methods that rely upon semantic evaluation, complicated the system whereas e-mail recipients do not detect the textual content as a result of it is too small to learn.
Within the phishing e-mail that Kopriva noticed, attackers cleverly included textual content indicating the verification of the message — that’s, “Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM” — in zero font measurement earlier than the textual content of the message, he mentioned.
This created a situation wherein textual content that seems to substantiate the message as safe was seen to the person within the message’s itemizing pane in Outlook — under the message topic line reasonably than the precise first line of the phishing e-mail message, which is displayed on the right-hand facet of the display screen within the person interface.
The method demonstrates attackers abusing a attribute of how Outlook shows email-message textual content, Kopriva defined.
“It seems that Outlook (and likely other [mail user agents]) displays any text which is present at the beginning of a message in the listing view, even if it has zero font size, which can unfortunately be (mis)used,” he wrote.
Preserve Workers Knowledgeable
Kopriva acknowledged that it is attainable the tactic already has been used within the wild for a while.
“It’s, in any case, yet one more small addition to the threat actor toolbox which can be used to create simpler phishing campaigns, and it’s due to this fact definitely good for us — as defenders — to pay attention to it,” Kopriva added.
For the reason that method is already in follow by attackers, organizations conducting phishing-oriented safety consciousness programs ought to inform workers in regards to the method in order that they can easily spot any fraudulent messages that use it as a way of anti-detection, Kopriva added.
Author: Elizabeth Montalbano, Contributor, Darkish Studying
Date: 2023-09-27 10:17:00
