Avanan researchers have uncovered an emerging phishing technique that has not yet been released by hackers and is still in testing mode on the dark web, but promises to make a lot of headway soon. We're calling this attack: Go HSIPH—or phish in reverse. 

The Attack:  This brand-new phishing technique leverages the <bdo> tag, or "Bidirectional Text Override." The tag is commonly used to switch the direction of the text. Look at this example of translating English to Hebrew: 


But hackers have found a way to use <bdo> tag to reverse all the text in an email and thus completely bypass Microsoft 365's anti-phishing natural language processing (NLP). To the human recipient it looks like this:

Looks like a standard login page. But behind the scenes it looks like this:


When humans view this, they see "Office 365 please change your password."

When the machine sees it, the reverse is shown. With the <bdo> tag between every two letters, Microsoft EOP and ATP completely fail to detect the attack. Our team is still testing this attack against leading Secure Email Gateway providers—so far all have failed to detect it. More to come when we complete the test.

And Things are Getting Worse

The hackers use JavaScript or CSS to return the text to a legit form again.

However, the <bdo> tag redirects the users to a fake Microsoft page, using even more obfuscation to bypass SafeLinks:

Though Avanan stopped this attack, it passed by ATP's scanners.

By utilizing redirection, this attack is specifically targeting SafeLinks. SafeLinks, as we've written before, is the new battleground for hackers. It's no longer enough to protect the inbox. What happens after is just as important. 

Why it Matters: This is a brand new attack that has yet to be fully rolled out.  As of now, hackers are still testing and refining it on the dark web.

However, because obfuscation techniques like ZeroFont, MetaMoprh, SiteCloak and TattleToken can get by ATP, SafeLinks and other scanners, our analysts estimate that this is an attack that could make major headway. 

Be sure to subscribe to our attack alerts as we'll continue to report on the latest on Go HSIPH. 

Sign Up For Attack Alerts