In 2018, Avanan researchers discovered the ZeroFont phishing technique, whereby hackers insert hidden words, all with a font size of zero, that is invisible to the recipient but fool Microsoft’s Natural Language Processing. Further, over the last number of years, Avanan analysts have noticed and written about a number of new obfuscation tactics. They run the gamut. We’ve seen hackers use a meta refresh to redirect the end-user; get past Microsoft SafeLinks with ZeroFont and unescape commands; utilize the redirection BDO tag as well as the display none tag; among others.
All of these attacks have the same goal—make the NLP see one thing, and humans see another.
Starting in September 2021, Avanan observed a new obfuscation attack in which the attackers use OneFont size to cloak text, as well as hide links within the CSS. In this attack brief, Avanan will analyze the company’s most recent discovery of the new OneFont attack.
Attack
In this attack, hackers are utilizing a number of forms of obfuscation to bypass email scanners, including CSS styling, font tags and invalid parameters.
- Vector: Email
- Type: Obfuscation, Credential Harvesting
- Techniques: OneFont, CSS styling, font tags, invalid parameters
- Target: Any end-user
In this attack, hackers utilize a number of obfuscation techniques to get a credential harvesting page through to the inbox.
First, all links are hidden within the CSS. This confuses natural language filters. Natural language filters see random text; human readers see what the attackers want them to see.
In addition, hackers put links within the <font> tag, and brought the font size down to one. This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing.
Beyond that, there are invalid parameters, as the “ Padding Left” is set to “;” further confusing scanners.
In the following sections, you’ll see the lengths that attackers go to in order to hide their true intentions.
Email Example #1
In this email, hackers present what looks like a password expiration notification. This email utilizes traditional social engineering tactics, such as urgent language, to get the user to act:
Email Example #2
This is another example of what this email looks like when rendered to the end-user
Techniques
In this email attack, hackers have cloaked their true intentions with obfuscation.
First, they hide links within the CSS, like so:
When doing so, natural language filters see gibberish; end-users see a fully rendered email.
On the right-hand side of the above image, you’ll see how the “Padding Left” is set to “;”, further confusing scanners. You’ll notice the warning sign symbol before “Padding Left” indicating something off with the CSS.
Additionally, hackers slipped links within the <font> tag, and brought the font size down to one, further hiding it from scanners:
This combination can confuse text semantic analysis, which leads many scanners to treat it as a marketing email rather than a phishing email.
Best Practices: Guidance and Recommendations
In order to guard against these attacks, security professionals can do the following:
- Detecting obfuscation attacks can be very difficult, so it’s important to implement a multi-tiered security solution, combining advanced AI and ML, as well as static layers like domain and sender reputation
- Implement a security architecture that relies on more than one factor to block email
- To the end-user, this email looks like a standard request from their IT department. The email is designed to fool both Natural Language Processing and human eyes. For a user to spot this attack, they should rely on their phishing training. They should notice the stilted grammar, such as "Notification Microsoft 365" as a red flag. They should also ask their own IT department before resetting any passwords.
