article featured image


A new Business Email Compromise (BEC) operation aimed at Microsoft 365 consumers employs a variety of highly developed obfuscation techniques in phishing emails that can trick natural language processing filters and go unnoticed by users.

The operation, called One Font because of the way it conceals text in a one-point font size within mails, was initially spotted in September by cybersecurity researchers at email security firm Avanan.

According to a report issued by the researchers, threat actors are also hiding links within the Cascading Style Sheets (CSS) in their phishing emails.

This is yet another strategy used to baffle natural language filters such as Microsoft’s Natural Language Processing (NLP).

Cybersecurity specialist Jeremy Fuchs stated that the One Font operation also includes messages with links coded within the font> tag, and when combined with the other obfuscation tactics, reduces the potency of email filters that rely on natural language for evaluation.

This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see.


A Similar Campaign Was Discovered in 2018

In 2018, researchers identified a similar operation dubbed ZeroFont, which employed similar approaches to evade Microsoft NLP in its Office 365 security solutions.

According to them, just like ZeroFont, One Font attacks Office 365 enterprises, an action that can result in BEC attacks, and eventually damage the company’s network if the emails aren’t detected and users are deceived into handing over their passwords.

The Campaign Explained

Once it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention.

Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.

The fraudulent link, according to Avanan analysts, directs victims to a phishing website where they appear to be typing their credentials in order to update their passwords. Instead, cybercriminals steal their credentials to use them for malicious purposes.

What Should Organizations Do?

According to Jeremy Fuchs, because end-users are unlikely to notice such obfuscation tactics, marking such emails as suspicious can be challenging.

He added that in order to avoid these attacks, businesses are advised to use a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation.

Using a cybersecurity strategy that relies on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help minimize attacks.

How Can Heimdal™ Help You?

Heimdal Security has developed two email security software aimed against both simple and sophisticated email threats (Heimdal™ Email Security), which detects and blocks malware, spam emails, malicious URLs, and phishing attacks and Heimdal™ Email Fraud Preventiona revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.

For example, you may want to consider Heimdal Security’s Heimdal™ Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *