Threat actors are taking advantage of a well-known technique called zero-point font obfuscation to deceive Microsoft Outlook users into believing that phishing emails have undergone successful antivirus scans. This technique not only increases the chances of phishing emails bypassing security measures but also tricks recipients into falling for scams.
Jan Kopriva, an analyst at SANS Internet Storm Center, recently came across a phishing email that employed a font with zero-pixel size, a technique known as ZeroFont Phishing. ZeroFont Phishing was first documented by researchers at Avanan, a Check Point company, in 2018. However, the observed usage of the technique in this particular instance was described by Kopriva as “quite novel.”
Zero font size has long been used by attackers in phishing emails to disrupt the visibility of text, making it more difficult for automated email scanning systems, such as the one used by Outlook, to identify suspicious messages. However, the ZeroFont technique observed by Kopriva had a different purpose. Instead of hindering automated scanners, it aimed to make the message appear more trustworthy to the recipient.
This technique specifically targeted the text displayed in the listing pane of Outlook, which appears on the left side of the screen and provides users with information about the message. The phishing email altered the usual display of the subject line and the beginning of the message text that might have alerted the user to a phishing scam. Instead, it displayed the subject line and a line of text indicating that the message had been scanned and secured by a threat protection service.
Threat actors have been continuously developing more sophisticated phishing scams, adopting various techniques to evade detection. One such technique, also discovered by Avanan, is the use of tiny-sized text in the zero- or one-point font range, known as “One Font.” This font size breaks email-scanning techniques that rely on semantic analysis. Recipients often fail to notice this tiny text because it is too small to read.
In the phishing email observed by Kopriva, the attackers cleverly included a text that appeared to validate the message’s security, such as “Scanned and secured by Isc® Advanced Threat protection (APT): 9/22/2023 T6:42 AM,” in zero font size before the actual text of the message. This created a situation where the user would see text confirming the message’s security in the listing pane of Outlook, below the subject line. Meanwhile, the actual first line of the phishing email, displayed on the right side of the screen, remained hidden.
Kopriva explained that this technique exploits a characteristic of how Outlook displays email messages. It seems that Outlook, as well as other mail user agents, will display any text present at the beginning of a message in the listing view, even if it has zero font size. This characteristic can be abused by attackers to deceive recipients.
Although this technique may have been employed by threat actors for some time, Kopriva emphasized the importance of awareness among defenders. Organizations conducting phishing-oriented security awareness courses should inform employees about this technique to help them easily identify fraudulent messages that use it as a means of avoiding detection.
In conclusion, threat actors are constantly evolving their tactics to carry out successful phishing campaigns. By using techniques like zero-point font obfuscation, they can bypass security measures and deceive users. It is crucial for organizations to educate their employees about these techniques to enhance their ability to detect and prevent phishing attacks.