Email Filters Duped by Tiny Font Size in BEC Phishing Attacks
The One Font BEC Operation Targets Microsoft 365 Users and Employs Advanced Obfuscation Strategies to Avoid Security Solutions.
A new Business Email Compromise (BEC) operation aimed at Microsoft 365 consumers employs a variety of highly developed obfuscation techniques in phishing emails that can trick natural language processing filters and go unnoticed by users.
The operation, called One Font because of the way it conceals text in a one-point font size within mails, was initially spotted in September by cybersecurity researchers at email security firm Avanan.
According to a report issued by the researchers, threat actors are also hiding links within the Cascading Style Sheets (CSS) in their phishing emails.
This is yet another strategy used to baffle natural language filters such as Microsoft’s Natural Language Processing (NLP).
Cybersecurity specialist Jeremy Fuchs stated that the One Font operation also includes messages with links coded within the font> tag, and when combined with the other obfuscation tactics, reduces the potency of email filters that rely on natural language for evaluation.
This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see.
A Similar Campaign Was Discovered in 2018
In 2018, researchers identified a similar operation dubbed ZeroFont, which employed similar approaches to evade Microsoft NLP in its Office 365 security solutions.
According to them, just like ZeroFont, One Font attacks Office 365 enterprises, an action that can result in BEC attacks, and eventually damage the company’s network if the emails aren’t detected and users are deceived into handing over their passwords.
The Campaign Explained
Once it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention.
Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.
The fraudulent link, according to Avanan analysts, directs victims to a phishing website where they appear to be typing their credentials in order to update their passwords. Instead, cybercriminals steal their credentials to use them for malicious purposes.
What Should Organizations Do?
According to Jeremy Fuchs, because end-users are unlikely to notice such obfuscation tactics, marking such emails as suspicious can be challenging.
He added that in order to avoid these attacks, businesses are advised to use a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation.
Using a cybersecurity strategy that relies on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help minimize attacks.
How Can Heimdal™ Help You?
Heimdal Security has developed two email security software aimed against both simple and sophisticated email threats (Heimdal™ Email Security), which detects and blocks malware, spam emails, malicious URLs, and phishing attacks and Heimdal™ Email Fraud Prevention, a revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.
For example, you may want to consider Heimdal Security’s Heimdal™ Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.