Threat actors are employing an existing technique of zero-point font obfuscation in a new way to fool Microsoft Outlook users into believing phishing emails have successfully been vetted by antivirus scans.
The technique could improve the likelihood that phishing emails will slip past not only security protections, but also trick recipients into falling for scams.
SANS Internet Storm Center analyst Jan Kopriva came across a phishing email that used text written in a font with zero-pixel size — an obfuscation technique first documented by researchers at Avanan, a Check Point company, in 2018 and dubbed ZeroFont Phishing — being used "in quite a novel way," he wrote.
Attackers have long embedded text with zero font size in phishing emails to break up text written in a normal, visible way to make it harder for automated email scanning systems like the one used by Outlook to detect suspicious messages. However, the ZeroFont technique observed by Kopriva had an altogether different intent.
"It wasn't intended to hinder automated scanners from identifying the message as potentially fraudulent/malicious, but instead to make the message appear more trustworthy to the recipient," he wrote in his post.
The technique alters the text that typically would be shown in the listing pane of Outlook — which appears to the left, adjacent to the body of messages and gives users clues to what's in the message, explained Kopriva, also with Czech Republic's Nettles Consulting.
Rather than display merely the usual email subject line and beginning of the message text that may have alerted the user to a phishing scam, the text in the listing pane displayed the subject line — and then another line of text indicating that the message had been scanned and secured by a threat protection service.
Embedding tiny-sized text in the zero- or one-point font range — another technique discovered by Avanan dubbed "One Font" — is one of many ways threat actors have devised to create more evasively sophisticated phishing scams. The tiny font size breaks email-scanning techniques that depend on semantic analysis, confusing the system while email recipients don't detect the text because it's too small to read.
In the phishing email that Kopriva observed, attackers cleverly included text indicating the verification of the message — that is, "Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM" — in zero font size before the text of the message, he said.
This created a scenario in which text that appears to confirm the message as secure was visible to the user in the message's listing pane in Outlook — below the message subject line rather than the actual first line of the phishing email message, which is displayed on the right-hand side of the screen in the user interface.
The technique demonstrates attackers abusing a characteristic of how Outlook displays email-message text, Kopriva explained.
"It seems that Outlook (and likely other [mail user agents]) displays any text which is present at the beginning of a message in the listing view, even if it has zero font size, which can unfortunately be (mis)used," he wrote.
Keep Employees Informed
Kopriva acknowledged that it's possible the tactic already has been used in the wild for some time.
"It is, in any case, one more small addition to the threat actor toolbox which may be used to create more effective phishing campaigns, and it is therefore certainly good for us — as defenders — to be aware of it," Kopriva added.
Since the technique is already in practice by attackers, organizations conducting phishing-oriented security awareness courses should inform employees about the technique so they can easily spot any fraudulent messages that use it as a means of anti-detection, Kopriva added.