Phishing is a common cyberattack technique that involves sending fraudulent emails to trick recipients into clicking on malicious links, opening malicious attachments, or providing sensitive information. Phishing emails often try to impersonate legitimate organizations or individuals, and use various methods to evade detection by email security tools.
One of these methods is called ZeroFont phishing, which was first discovered by Avanan in 2018. ZeroFont phishing exploits a flaw in how some email security platforms, such as Microsoft Office 365 Advanced Threat Protection (ATP), use natural language processing (NLP) to analyze the text of emails. NLP is a branch of artificial intelligence that deals with understanding and generating natural language, such as English or French.
ZeroFont phishing works by inserting hidden words or characters in the email text with a font size of zero, making them invisible to human eyes, but still readable by NLP algorithms. These hidden words or characters can be either benign or malicious, depending on the attacker’s goal. For example, an attacker can insert benign words to mask the malicious content of the email, or insert malicious words to trigger a false positive from the security tool.
The main purpose of ZeroFont phishing is to manipulate the NLP analysis of the email and bypass the security filters that rely on it. For instance, an attacker can use ZeroFont phishing to avoid being flagged by Microsoft ATP, which uses NLP to detect known malicious keywords, such as “password”, “account”, or “verification”. By inserting hidden benign words, such as “flower”, “book”, or “movie”, the attacker can dilute the maliciousness score of the email and make it appear as harmless.
A recent example of ZeroFont phishing was reported by ISC Sans analyst Jan Kopriva, who observed a phishing email that used ZeroFont phishing to trick Microsoft Outlook into showing a fake antivirus scan message in the email list². The email claimed to be a job offer from a reputable company, and asked the recipient to open an attached PDF file. However, the email also contained a hidden message at the beginning, which read “Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM”. This message was invisible in the email preview or reading pane, but it was displayed as a preview on the email list, as shown below:
The goal of this trick was to create a false sense of legitimacy and security in the recipient, and increase the likelihood of them opening the attachment, which was actually a malicious file that could infect their device with malware or ransomware. The attacker used ZeroFont phishing to hide the fake antivirus scan message from the Outlook security tool, which would otherwise detect it as suspicious and warn the recipient.
ZeroFont phishing is not a new attack, but it is still effective and widely used by cybercriminals. According to Avanan, ZeroFont phishing is still out there, and it can bypass not only Microsoft ATP, but also other email security platforms, such as Proofpoint, Mimecast, and Symantec. End users should be aware of this sneaky trick and always be cautious when opening emails from unknown or unexpected sources, especially if they contain attachments or links. Users should also use a reliable antivirus software and keep it updated, as well as report any suspicious emails to their IT department or email provider.