A recent discovery has revealed a vulnerability in Microsoft 365 (formerly known as Office 365) that enables malicious actors to bypass anti-phishing measures. One of the key anti-phishing features in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 is the ‘First Contact Safety Tip.’ This safety tip serves as a cautionary measure for users when they receive an email from an unfamiliar sender.
The First Contact Safety Tip is embedded in the HTML email body and can be manipulated using Cascading Style Sheet (CSS) style tags. Security experts have identified a method to effectively hide the First Contact Safety Tip from users, thus potentially leaving them vulnerable to phishing attacks.
When a user receives an email from a sender with whom they do not regularly interact, Outlook typically displays an alert warning them about the unusual sender. Researchers have demonstrated that by manipulating the HTML code of an email, it is possible to disguise the access to the First Contact Safety Tip. While certain CSS rules like ‘display: none,’ ‘height: 0px,’ and ‘opacity: 0’ may not be supported by Outlook’s rendering engine, changing the background and font colors to white can render the alert virtually invisible to the recipient.
According to Certitude researchers, “It is possible to change the background and font colors to white so that the alert is effectively invisible when rendered to the end user viewing the email.” By employing this method, the alert can be concealed within the email body without the user noticing its presence.
Furthermore, experts have managed to spoof the icons used by Microsoft Outlook to indicate encrypted or signed emails, adding an additional layer of deception to potential phishing attempts. Despite being made aware of these issues, Microsoft has chosen not to address this behavior immediately.
In response to reports regarding the vulnerability, Microsoft MSRC stated, “We determined your finding is valid but does not meet our bar for immediate servicing, considering this is mainly applicable to phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products.”
As cyber threats continue to evolve, it is crucial for organizations to stay vigilant and address vulnerabilities promptly to safeguard sensitive information and prevent security breaches. Enhancing anti-phishing measures and regularly educating users about potential risks can help mitigate the impact of such vulnerabilities in the future.