Evolving ZeroFont phishing attacks target Outlook users

How do ZeroFont attacks work?

Early ZeroFont attacks involved shrinking the font size in emails to zero to make telltale signs of spam invisible to email security scanners. This increased the likelihood the messages would successfully reach end users' inboxes.

In 2018, researchers from email security provider Avanan coined the term ZeroFont to describe a phishing campaign that targeted Microsoft's natural language processing (NLP) scanners. The attack worked by obscuring words that might indicate fraud, such as a signature that didn't match the sender's domain, with nonsense text that -- because it was set to zero pixels -- was invisible to the end user. So, for example, while the NLP scanner might see "llksdjflkjMicrosoftlkdjasf," the end user would see "Microsoft."

Three years later, Avanan found another ZeroFont attack that penetrated more than 1,000 email inboxes, most belonging to workers from the financial sector.

More recently, in late 2023, cybersecurity analyst Jan Kopřiva spotted a new ZeroFont attack in which the aim of the threat actors had evolved. Rather than tricking email scanners, the attackers used ZeroFont techniques to trick Microsoft Outlook users.

Kopřiva outlined the attack in a SANS Internet Storm Center blog post, describing how an email message -- appearing to contain a possible job offer -- rendered differently in the inbox preview window than it did when the message was opened.

Specifically, the message preview contained an official-appearing notation that it had been "scanned and secured," offering false assurance that the message was trustworthy and increasing the likelihood the user would engage with it.

The phrase did not appear in the message body because it was set to a zero-pixel font size. The preview pane in Outlook, however, displayed all text at the beginning of the message, regardless of font size, color and transparency. According to Kopřiva, other email clients' preview functions work similarly.

The aim, as in all phishing emails, is to make the email compelling and credible enough that users engage with it, even if the sender is an unfamiliar or suspicious source. Then, the attacker can try to steal login credentials, access sensitive data or spread ransomware or other malware.

Cybersecurity researchers have observed malicious hackers using updated twists on ZeroFont scams to target Microsoft 365 users.

How to prevent ZeroFont phishing attacks

Social engineering techniques appeal to human vulnerabilities to get end users to fall for phishing campaigns that target their interests or hopes -- e.g., "new employment opportunity" -- or appear to come from trusted sources. Some security researchers have gone as far as to say the weakest security link in any organization is the end user.

There is certainly truth to this, as employees often miss clear signs of malicious or otherwise harmful content. Security training vendor KnowBe4 found, for example, that, in baseline phishing tests across 55,675 participating organizations, more than one-third of end users engaged with suspicious links or requests.

This underscores the need for both continuing end-user education and vigilance around ZeroFont and other evolving phishing techniques. Organizations and individual employees should follow email security best practices, remembering that -- while antiphishing technology, such as email scanning and AI-based security filtering, is important -- clever cybercriminals continue to find ways to trick these systems. The best defense an enterprise has is an aware end user.

Teach employees to treat every message with healthy skepticism and ask themselves questions such as the following:

• Do I know the source?
• Is the email domain familiar, and does it match the sender's name? An email that might appear to come from Apple technical support could actually come from a domain like "xyzhaveagoodtime.net."
• Does the message appear trustworthy?
• Does the message have a sense of urgency, compelling the recipient to act quickly to prevent a negative outcome or to take advantage of a limited-time opportunity?

Remind employees that attackers can commandeer email addresses. So, even if the source is legitimate, the recipient should also pay attention to the communication style the sender uses. For example, imagine a message appears to come from a supervisor who has a concise writing style, but the email is unusually verbose. The recipient should check with the apparent source via a separate communication medium -- e.g., in person or via phone -- to confirm they sent the message.

Poor spelling and grammar remain good indicators that an email is spam or worse. Threat actors have improved their techniques -- aided by generative AI -- but many phishing schemes still include major red flags, such as misspellings or missing punctuation.

Phishing schemes often prey on targeted end users' anxieties or aspirations. ZeroFont and other phishing schemes might, for example, demand the end user click on a link to stop fraudulent activity or claim a cash prize. The link typically leads to a landing page where the end user is asked to provide personal information, which the threat actor then can exploit.

To ensure end users are in the best position to protect themselves and corporate assets, organizations must provide them with ongoing, frequent and dynamic security awareness training. Material should keep best practices top of mind, as well as explain emerging and evolving phishing techniques.

Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.