In a recent phishing campaign, the researchers noticed the use of the long-known ZeroFont phishing technique to trick Microsoft Outlook users. Users need to remain vigilant when interacting with unsolicited emails, specifically checking if the email preview and the actual email body do not match.
Latest ZeroFont Phishing Campaign Targets Outlook Users
In a recent post, Jan Kopriva, an analyst from the Internet Storm Center (ISC) Sans has shared details about a new zerofont phishing campaign.
As the term implies, ZeroFont phishing involves text-based phishing scams, usually involving emails, where the attackers hide some text characters by entering them with zero font size. This makes the characters invisible to the reader, but the algorithms and NLPs can still read them. Thus, such characters may facilitate the attackers in bypassing security checks.
That’s what Kopriva found under attack in a recent phishing campaign. While the post includes the details about the phishing attack, briefly, the phishing email raised suspicion when the researcher noticed a different email preview from the message body when viewing the email via Microsoft Outlook.
Specifically, he found the email preview displaying a phrase, “Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM” that nowhere existed within the email body. This phrase, appearing right below the email subject “Email Opportunity…” added weightage to the email’s safety, tricking a user into believing that the email passed antivirus detection.
However, given that Microsoft Outlook never shows such security alerts with emails and that this phrase didn’t appear within the email body, the researcher spotted the phishing attempt. Then, reading the email message further confirmed his suspicion as it exhibited bad grammar and poor text construction.
Although ZeroFont phishing isn’t a new technique – it first surfaced online in 2018 when Avanan reported it in detail, Kopriva believes such exploitation of this technique to trick users is somewhat new. Therefore, users, particularly those relying on email previews, must remain vigilant while checking emails, especially unsolicited ones, regardless of whether they bypass or claim to have passed email security measures.
Let us know your thoughts in the comments.