ZeroFont Email Filter Bypass Technique

A new technique – known as ZeroFont – for bypassing Window’s automatic email filtering has been detailed. Attackers may use this technique to enhance their spam and phishing campaigns.

The attacks spotted by Avanan, cybercriminals sent out phishing emails in which some of the content is set to be displayed with zero-size font using <span style=”FONT-SIZE: 0px”>. The security firm has dubbed this technique ZeroFont.

Microsoft uses natural language processing (NLP) to examine the HTML content of emails for indicators of suspicious activity and flags the offending messages as fraudulent. ZeroFont circumvents this protection by embedding new 0-point characters within existing text strings. When an email using ZeroFont is received, Microsoft’s NLP analyser will read all text contained within the HTML content, whereas the user will only see whatever text is rendered on screen, with the 0-point font not shown.

This allow an attacker to display different text to the NLP analyser and the user; and could be used to force Microsoft’s email filters to misidentify suspicious emails.

Example

Microsoft can not identify the spoofing email because it cannot see the word “Microsoft” in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user.

Affected Platforms

• Microsoft Windows – All versions