Hackers are using a brand new trick of utilizing zero-point fonts in emails to make malicious emails seem as safely scanned by safety instruments in Microsoft Outlook.
Though the ZeroFont phishing approach has been used up to now, that is the primary time it has been documented as used on this means.
In a brand new report by ISC Sans analyst Jan Kopriva, the researcher warns that this trick may make an enormous distinction within the effectiveness of phishing operations, and customers ought to pay attention to its existence and use within the wild.
ZeroFont assaults
The ZeroFont assault technique, first documented by Avanan in 2018, is a phishing approach that exploits flaws in how AI and pure language processing (NLP) programs in electronic mail safety platforms analyze textual content.
It includes inserting hidden phrases or characters in emails by setting the font dimension to zero, rendering the textual content invisible to human targets, but retaining it readable by NLP algorithms.
This assault goals to evade safety filters by inserting invisible benign phrases that blend with suspicious seen content material, skewing AI’s interpretation of the content material and the results of safety checks.
In its 2018 report, Avanan warned that ZeroFont bypassed Microsoft’s Workplace 365 Superior Menace Safety (ATP) even when the emails contained recognized malicious key phrases.
Hiding bogus antivirus scans
In a brand new phishing electronic mail seen by Kopriva, a menace actor makes use of the ZeroFont assault to control message previews on extensively used electronic mail purchasers similar to Microsoft Outlook.
Particularly, the e-mail in query displayed a unique message in Outlook’s electronic mail listing than within the preview pane.
As you possibly can see beneath, the e-mail itemizing pane reads “Scanned and secured by Isc®Superior Menace safety (APT): 9/22/2023T6:42 AM,” whereas the start of the e-mail within the preview/studying pane shows “Job Supply | Employment Alternative.”
This discrepancy is achieved by leveraging ZeroFont to cover the bogus safety scan message in the beginning of the phishing electronic mail, so whereas it isn’t seen to the recipient, Outlook nonetheless grabs it and shows it as a preview on the e-mail itemizing pane.
Supply: ISC Sans
The purpose is to instill a false sense of legitimacy and safety within the recipient.
By presenting a misleading safety scan message, the chance of the goal opening the message and interesting with its content material rises.
It’s doable that Outlook is not the one electronic mail consumer that grabs the primary portion of an electronic mail to preview a message with out checking if its font dimension is legitimate, so vigilance is suggested for customers of different software program, too.