Cybercriminals and email scammers are using simple technique in the wild to bypass security features of Micorsoft Office 365. This includes Safe Links that was designed to protect users from phishing and malware attacks. Security researcher have been warning about this techniques.
As a part of Advanced Threat Protection (ATP) solution Safe Links has been included by Microsoft in Office 365. This works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. When users click on a link included in an email, Safe Links sends to Microsoft owned domain that checks for any suspicions. If anything is detected then it warns users else directs to that link.
However, researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365's URL reputation check and Safe Links URL protection features by using Zero-Width SPaces (ZWSPs). Zero-Width are non-printing Unicode characters used to enable line wrapping in long words. All modern web browsers supports this and most applications take them as regular space. This is not visible to the eye.
- ​ (Zero-Width Space)
- ‌ (Zero-Width Non-joiner)
- ‍ (Zero-Width Joiner)
-  (Zero-Width No-Break Space)
- 0 (Zero-Width Digit Zero)
Attackers are using multiple zero-width spaces within malicious URL in phishing emails which Microsoft does not recognize. And when users clicked on the link Microsoft did not find it suspicious and directs to the link. This is when users were landed to credentials harvesting phishing website. Link to demonstration can be found here.
How the URL looks to Microsoft Security: http‌s://go‌ogle.co‌m/
How it looks to users: https://google.com
No comments:
Post a Comment