What is ‘ZeroFont’ Phishing?

‘Phishing’ is where hackers attempt to get a user to willingly provide personal information, generally through posing to be someone else. It is one of the more threatening forms of hacking, as it is among the most difficult to protect against traditional security measures.

Microsoft Office 365 Zerofont

Hackers continue to find new ways to breach spam and other filters while representing authorities with practical reasons to request information. It is ultimately the user’s decision to trust the hacker which results in information misuse. Users must, therefore, be aware of the nature of phishing tactics and vulnerabilities to best protect themselves.

‘ZeroFont’ phishing attacks have been successful against Office 365 users. In this attack, hackers use a zero-sized font in order to hide identifying information while posing as a reputable account-hosting organization. Users are unable to view zero-sized fonts so they are easily tricked.

What’s Been Happening?

Attacks have been increasing as security researchers learn about this type of internet hacking. ZeroFont phishers have been bypassing Advanced Threat Protection (ATP) processes in popular email services, such as those provided with the commonly used Office 365. Although the advanced Microsoft software uses security processes with many AI and machine learning procedures for blacklisting and other forms of phishing defenses, the ZeroFont method is able to evade these. The use of zero font sizes has proven to be a clever method that allows hackers to sneak in and steal information from a wide range of users.

ZeroFont attacks are actually not new. They were used by hackers in the past but faded into the background for quite some time. For years, hackers have used simple phishing scams to trick users into visiting unsafe sites or giving up their log-in information. This basic method of exploiting internet users has been very successful but cybercriminals are always looking for new and easy ways to steal our money.

Microsoft’s natural language processing has made it more vulnerable to zero font attacks. One example of a hacker using this approach for a successful attack against an Office 365 user involves fraudulent email. The emails are created by a phisher who pretends to be a legitimate Microsoft representative. The email they send out says something about how Microsoft is attempting to notify them that they’ve reached a quota limit of some sort.

Assuming they’ve received an actual message from someone who is their subscription representative, and with the words ‘Microsoft Office 365,’ the email urges the user to divulge personal information. Because of the zero font size, the security program does not recognize relevant keywords and the email is not correctly identified as a ‘spoof’ or spam. Instead, users may choose to cooperate in providing personal information.

ZeroFont attackers can exploit an ability to display a message to users that cannot be properly read by anti-phishing filters. These emails can look as if they are being sent by Facebook, PayPal, Apple, or your financial institution. They urge users to give up sensitive personal information that can then be misused. Hackers have been able to take over Amazon, Facebook and eBay accounts.

While natural language processing is regarded as a powerful aspect of software, highly efficient and effective while safeguarding against email phishing, exploitations of its vulnerabilities have caused ongoing demands for security upgrades. Avanan has more information about the nature of ZeroFont, Punycode, Unicode, and Hexadecimal Escape Character attacks being used today.

Online sources explain that this form of attack has been common, if not rampant since the extent of certain vulnerabilities in Office 365 has been realized.

Security Affairs reported recent phishing ‘campaigns’ that have successfully used this approach, and The Hacker News also reported on a campaign that ‘wildly’ attempted to target a wide range of Office 365 users. The latter was reported to involve a representation of Microsoft while directing users, via a link, to a SharePoint document established to record sensitive information.

As the bodies of the emails sent made use of a zero font size to avoid anti-phishing filters, users were presented with messages that appeared to be legitimate. Imagine getting SharePoint invitations asking for your collaboration or cooperation from Microsoft. It can be tempting to follow the instructions that hackers provide and just do what they say.

Clicked links resulted in automatic openings of the SharePoint file, which hyperlinked the user to an unsafe URL. Therefore even users that did not log in were vulnerable to hacking through the hyperlink, while users that attempted a login also provided their account information to the phisher.

The only way Microsoft can identify such attempts is to scan links within shared documents for URLs that appear to be created for the sake of phishing. Hackers have now become well aware of this. Even if all links are correctly identified, the software would have to blacklist links to all SharePoint files to blacklist the bad URL. This is not a practical fix for the problem.

The Hacker News reported that approximately 10 percent of registered Office 365 users had been targeted by a phishing campaign within just a two week time window.

 

What Should I Do?

Microsoft recommends, in addition to following best practices for trusting a claim of authority in an email, to:

  • Ensure the best ATP anti-phishing software and updates are installed.
  • Use all applicable anti-phishing features.
  • Use the Security & Compliance Center for more information and system- or software-specific instructions and optimization.