Once it makes it to inboxes appearing to be a legitimate message, the One Font campaign uses typical phishing social-engineering tactics to get people’s attention. Attackers present what looks like a password-expiration notice, using urgent messaging to spur a potential victim into clicking on a malicious link.
That link carries them to a phishing page where they appear to be entering their credentials so they can change their passwords. Instead, threat actors are stealing their credentials to use for other cybercriminal activity, researchers said.
In their post, researchers demonstrated how specific phishing emails used a combination of tactics – specifically, links hidden within the CSS and links slipped within the <font> tag and then sized down to zero – that together confound natural language filters.