What’s old is new again.
Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts. The gimmick? Zero-point fonts.
As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences. What few people realize is that you can use html code to set your font to zero-point size.
Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font. Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts. Since they’re not detected, they’re not marked as malicious and sail right through the security filters.
By itself, the zero-point trick is useful, but not inherently deadly. Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.
It gets better (or worse, depending on your point of view). Just last month, researchers at a company called Avanan discovered that it was possible to use the < base > HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.
Again, it should be noted that these tricks aren’t new. They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled. Apparently, they’re so old that they skate right past modern security flags and filters.
Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.