Microsoft’s phishing filter easily mislead by hidden text in emails

Posted 20 June 2018 23:56 CEST by Jan Willem Aldershoff

Security company Avanan reports that attackers have found a way to bypass Microsoft’s phishing filter. Cybercriminals use hidden words with a font-size of zero in the phishing mails, this means they are invisible to the receiver, but help to mislead the Microsoft filter.

(Demonstration of fiddling with the font-size. Credits Avanan)

Microsoft utilizes natural language processing to determine whether email content is legit. When e.g the email footer contains “© 2018 Apple Corporation. All rights reserved”, but the email isn’t coming from the apple.com domain, the email is flagged as fraudulent. Through natural language processing the context and intent of the text is interpreted and correlated to the sender.

By manipulating the font-size, it’s possible to trick the filter into reading other words than the actual receiver of the mail. That’s possible because Microsoft’s filter only reads the plain text content of the email, while users usually read the HTML version.


Related content


Comment on this news item