Microsoft’s phishing filter easily mislead by hidden text in emails

Security company Avanan reports that attackers have found a way to bypass Microsoft’s phishing filter. Cybercriminals use hidden words with a font-size of zero in the phishing mails, this means they are invisible to the receiver, but help to mislead the Microsoft filter.

Microsoft's phishing filter easily mislead by hidden text in emails

(Demonstration of fiddling with the font-size. Credits Avanan)

Microsoft utilizes natural language processing to determine whether email content is legit. When e.g the email footer contains “© 2018 Apple Corporation. All rights reserved”, but the email isn’t coming from the domain, the email is flagged as fraudulent. Through natural language processing the context and intent of the text is interpreted and correlated to the sender.


By manipulating the font-size, it’s possible to trick the filter into reading other words than the actual receiver of the mail. That’s possible because Microsoft’s filter only reads the plain text content of the email, while users usually read the HTML version.