Avanan researchers have identified an aggressive attack that uses a number of obfuscation techniques to bypass Microsoft 365 email filters and send users to a personalized login page. The specific code is what we call ZeroFont, which still fools Microsoft's Natural Language Processing abilities nearly two-and-a-half years after we first identified it. There are many variants of it, but in general, ZeroFont injects very small characters between the letters—invisible to the user, but not to the Microsoft scanners, allowing it to bypass the defenses and phish the user.
The Attack: This particular campaign is being carried out by SPAM-EGY, an advanced persistent threat group that guarantees access to the inbox. This specific campaign has been targeting universities.
The typical email looks like a link to a Microsoft document share. Clicking on the document link, takes them to the phishing page. Even if the victim uses the client mouse-over 'preview', it looks like their familiar university login.
This is because the when you click on the "View Document" button, you are directed to a dynamically-rendered page that matches the look and feel of the university's Microsoft login. Not only does it pre-populate the email address, it updates the logo and background to match. (The universities shown here are examples. It works with any organization that uses Microsoft 365.)
But here's the impressive part. The code actually imports the school’s login page on the fly so that it is an exact match. If you change the URL of the email address, it updates the background to match. And it's a bit-for-bit mirror of the actual site. We programmed in an email address for Columbia University. Look what comes up:
Any college works and the recipient get the exact same login window that they expect to see. Students and faculty from statecollege.edu, will see the statecollege.edu login page and background.
How does this email get past Microsoft? (And remember, this passed by both EOP and ATP.) The classic ZeroFont obfuscation technique. Here's what it looks like to Microsoft:
When read by Microsoft filters, it appears to be a newsletter, but to the end-user, it is a document share.
We've written a lot about Zero-Font and its variants. Essentially, hackers insert hidden words with a font of zero. It's invisible to the recipient but it fools Microsoft Natural Language Processors.
The group behind this clever attack is a persistent threat organization called SPAM-EGY. And by using ZeroFont, they claim "10,000% access to the inbox". .
SPAM-EGY is "Phishing-as-a-Service" subscription organization that guarantees:
And though they have stopped their frequent YouTube and social postings, they are still attacking end-users every day.
Their arms race with Microsoft filters typically grants them a few weeks or months of access before the Microsoft response requires a new release.
Today, we are seeing a targeted campaign using these SPAM-EGY techniques. Because each phishing page is embedded with their "Phishing-as-a-Service" license key and email address, we can track the group that is using the SPAM-EGY service to attack these universities:
var arrl = “Enter vic.tim@university.edu”;
var licensekey = ‘UZER58ERE8RWV4’;
var emailkey = ‘cmVkYWN0ZWRoYWNrZXIxODE4OUBnbWFpbC5jb20=’;
Of course, this is not the only attack targeting higher education this season. University-targeted Ransomware is on the rise and it seems that they are taking advantage of Covid-confusion to step up their campaigns.
Join our upcoming webinar on Thursday, December 10th to discuss these attacks and more.
And make sure to subscribe to our Attack Alerts for the latest on SPAM-EGY and all other attacks.