Back in 2018, Avanan uncovered an attack we called ZeroFont phishing. The idea is that hackers insert hidden words into the text with a font size of zero. The recipient can't see it, but it works as a way to obfuscate text to get past Microsoft NLP scanners.  

Three years later, this method of attack is still out there and it still works to get past Microsoft and other email scanners. Avanan researchers have uncovered a new ZeroFont attack that hit over 1,000 mailboxes in recent days.  The attack was primarily focused on the financial sector—71% of those hit worked in finance. Nearly 10% of those hit were in the education sector.

This was a spray-and-pray attack. It did not focus on specific job titles—everyone from the C-Suite to interns were hit. 

Though Avanan stopped this email, it was missed by both ATP and Mimecast. 

This is what the attack looks like. When the victim's mail client opens the email, the user will see this:

 



However, if you copy the contents of the email and paste it into a text editor, this is what you'll see:

 

More importantly, this is also what the Natural Language Processing AI will see when scanning this email. The NLP sees a seemingly random string of characters, none of which looks malicious. Luckily, Avanan uses a multi-layered approach to catching sophisticated email attacks like this. These attacks would have been caught by our static layer that checks for the use of CSS styles to hide text like "font-size 0px". “

Once Avanan detects that this email uses that CSS style, it is automatically set to a very high score of suspicion. When we add our traditional security layers on top of it, like "sender reputation," domain history," and "existence of links," Avanan can easily classify this as a phishing attack and block it accordingly. 

An attack style like Zero Font remains difficult for many other email scanners to stop. ZeroFont and its variants—SiteCloak, MetaMorph, TattleToken and GO HSIPH— have continually stumped ATP and other scanners for nearly three years.

Subscribe to Our Attack Briefs for More Research