Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
New ZeroFont phishing tricks Outlook into showing fake AV-scans
Message
<blockquote data-quote="Jakesu" data-source="post: 41" data-attributes="member: 7"><p>Hackers are utilizing a new trick of using zero-point fonts in emails to make malicious emails appear as safely scanned by security tools in Microsoft Outlook.</p><p></p><p>Although the ZeroFont phishing technique has been used in the past, this is the first time it has been documented as used in this way.</p><p></p><p>In a new report by ISC Sans analyst Jan Kopriva, the researcher warns that this trick could make a massive difference in the effectiveness of phishing operations, and users should be aware of its existence and use in the wild.</p><p></p><p><strong>ZeroFont attacks</strong></p><p></p><p>The ZeroFont attack method, first documented by Avanan in 2018, is a phishing technique that exploits flaws in how AI and natural language processing (NLP) systems in email security platforms analyze text.</p><p></p><p>It involves inserting hidden words or characters in emails by setting the font size to zero, rendering the text invisible to human targets, yet keeping it readable by NLP algorithms.</p><p></p><p>This attack aims to evade security filters by inserting invisible benign terms that mix with suspicious visible content, skewing AI's interpretation of the content and the result of security checks.</p><p></p><p>In its 2018 report, Avanan warned that ZeroFont bypassed Microsoft's Office 365 Advanced Threat Protection (ATP) even when the emails contained known malicious keywords.</p><p></p><p><strong>Hiding bogus antivirus scans</strong></p><p></p><p>In a new phishing email seen by Kopriva, a threat actor uses the ZeroFont attack to manipulate message previews on widely used email clients such as Microsoft Outlook.</p><p></p><p>Specifically, the email in question displayed a different message in Outlook's email list than in the preview pane.</p><p></p><p>As you can see below, the email listing pane reads "Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM," whereas the beginning of the email in the preview/reading pane displays "Job Offer | Employment Opportunity."</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/10/email.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/10/email.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Malicious phishing message</td></tr></table><p>This discrepancy is achieved by leveraging ZeroFont to hide the bogus security scan message at the start of the phishing email, so while it's not visible to the recipient, Outlook still grabs it and displays it as a preview on the email listing pane.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/security/phishing/zero-font.jpg" target="_blank"><img src="https://www.bleepstatic.com/images/news/security/phishing/zero-font.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Zero-font attack hiding antivirus scan message</td></tr></table><p>The goal is to instill a false sense of legitimacy and security in the recipient.</p><p></p><p>By presenting a deceptive security scan message, the likelihood of the target opening the message and engaging with its content rises.</p><p></p><p>It is possible that Outlook isn't the only email client that grabs the first portion of an email to preview a message without checking if its font size is valid, so vigilance is advised for users of other software, too.</p></blockquote><p></p>
[QUOTE="Jakesu, post: 41, member: 7"] Hackers are utilizing a new trick of using zero-point fonts in emails to make malicious emails appear as safely scanned by security tools in Microsoft Outlook. Although the ZeroFont phishing technique has been used in the past, this is the first time it has been documented as used in this way. In a new report by ISC Sans analyst Jan Kopriva, the researcher warns that this trick could make a massive difference in the effectiveness of phishing operations, and users should be aware of its existence and use in the wild. [B]ZeroFont attacks[/B] The ZeroFont attack method, first documented by Avanan in 2018, is a phishing technique that exploits flaws in how AI and natural language processing (NLP) systems in email security platforms analyze text. It involves inserting hidden words or characters in emails by setting the font size to zero, rendering the text invisible to human targets, yet keeping it readable by NLP algorithms. This attack aims to evade security filters by inserting invisible benign terms that mix with suspicious visible content, skewing AI's interpretation of the content and the result of security checks. In its 2018 report, Avanan warned that ZeroFont bypassed Microsoft's Office 365 Advanced Threat Protection (ATP) even when the emails contained known malicious keywords. [B]Hiding bogus antivirus scans[/B] In a new phishing email seen by Kopriva, a threat actor uses the ZeroFont attack to manipulate message previews on widely used email clients such as Microsoft Outlook. Specifically, the email in question displayed a different message in Outlook's email list than in the preview pane. As you can see below, the email listing pane reads "Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM," whereas the beginning of the email in the preview/reading pane displays "Job Offer | Employment Opportunity." [URL='https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/10/email.png'][IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/10/email.png[/IMG][/URL] [TABLE] [TR] [TD]Malicious phishing message[/TD] [/TR] [/TABLE] This discrepancy is achieved by leveraging ZeroFont to hide the bogus security scan message at the start of the phishing email, so while it's not visible to the recipient, Outlook still grabs it and displays it as a preview on the email listing pane. [URL='https://www.bleepstatic.com/images/news/security/phishing/zero-font.jpg'][IMG]https://www.bleepstatic.com/images/news/security/phishing/zero-font.jpg[/IMG][/URL] [TABLE] [TR] [TD]Zero-font attack hiding antivirus scan message[/TD] [/TR] [/TABLE] The goal is to instill a false sense of legitimacy and security in the recipient. By presenting a deceptive security scan message, the likelihood of the target opening the message and engaging with its content rises. It is possible that Outlook isn't the only email client that grabs the first portion of an email to preview a message without checking if its font size is valid, so vigilance is advised for users of other software, too. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
New ZeroFont phishing tricks Outlook into showing fake AV-scans
Top