Evolution in ZeroFont Phishing Technique Observed
Evolution in ZeroFont Phishing Technique Observed

Image: Philipp Katzenberger (unsplash)

Cybercriminals have tapped into the ZeroFont technique to manipulate users’ trust in phishing emails, as highlighted by SANS ISC expert Jan Kopriva.

Understanding the ZeroFont Tactic

This technique, initially documented and coined by Avanan in 2018, involves embedding text in font size “0” throughout an email. Its prior use centered around evading Microsoft’s NLP-based anti-phishing measures by fragmenting text sequences that could potentially activate those protections.

The Recent Observation

Usually, email clients display messages in a bifurcated window system: the left side displays a list of received, sent, or drafted messages, and the right presents the email content itself. Crucially, the left pane also showcases details like the sender’s name, the subject line, and the initial portion of the email’s text.

Kopriva encountered a phishing email that cleverly employed the ZeroFont technique to give an impression that the email had undergone scrutiny by anti-spam filters. However, the assertion (Scanned and secured by Isc®Advanced Threat Protection (APT): 9/22/2023T6:42 AM) only emerged in the listing section. This was because the exact phrase, positioned at the email’s outset in a zero font size, remained unseen by the email’s receiver.

What’s interesting is that platforms like Outlook, and possibly other Mail User Agents, show any text placed at a message’s beginning in the listing view, regardless of its font size. Kopriva pointed out this feature’s potential exploitation by ill-intended actors. He commented, “The obscured text in the email sent to our handler’s address deviated from its conventional role. Instead of obstructing automated tools from flagging the message as dubious, its objective was to enhance the email’s credibility in the eyes of the recipient.”

Given these evolving tactics, some malicious actors are clearly refining their strategies to develop more potent phishing attempts. Kopriva suggested that incorporating this nuance into phishing-awareness training sessions might be advantageous.