Have you recently received an email that includes tiny font? A phishing campaign involving tiny font is making its way around the web. The One Font campaign, as it’s known, targets O365 users. It relies on a variety of advanced obfuscation techniques designed to fool natural language processing (NLP) filters.
In September of this year, researchers with Avanan, a Check Point company, spotted the first signs of this phishing campaign. The name of the campaign, One Font, derives from the fact that the scheme hides text in one point font within malicious messages. This is an example of 8 point font- one point font is very very tiny.
One Font campaign details…
The One Font phishing campaign also includes emails using links coded within the <font> tag. When paired with other obfuscation techniques, this tactic can destroy the effectiveness of email filters that leverage NLP in their analyses, according to Jeremy Fuchs, a cyber security researcher with Avanan.
“This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing,” says Fuchs. “Natural language filters see random text; human readers see what the attackers want them to see.”
Phishers are also embedding links with the cascading style sheets (CSS) in their phishing messages; another tactic that confounds NLP filters.
Once malicious emails have made it past the NLP filters, the emails use typical phishing and engineering tactics. Attackers include a password expiration notice, which lures potential victims into clicking on malicious links. The links take users to fraudulent URLs, where a prompt advises individuals to type in their credentials. Then, bad actors pinch credentials and deploy them in nefarious activities.
The ZeroFont campaign: 2018
In 2018, researchers discovered the ZeroFont campaign, which uses similar methodologies to move past Microsoft’s NLP within the O365 suite. As the name suggests, the ZeroFont campaign inserted zero sized text into email messages. This fooled email scanners that depended on natural language processing in order to identify malicious content.
Hiding in the shadows
One Font is an evolved version of the ZeroFont campaign. How can we expect to see these types of campaigns evolve in the future? Avanan researchers have reported the inclusion of redirect tactics in these campaigns -such as meta refresh- which retain abilities to interrupt NLP and can bypass Microsoft SafeLinks.
Cyber security researchers have shown how specific phishing emails combined a cadre of tactics –specifically, hidden links in CSS and links inserted into the <font> tag and then reduced in size- to dupe natural language filters. Users tend not to notice these types of obfuscation techniques. As a result, they can inadvertently put an organization in danger.
Researchers recommend that organizations opt for a multi-tiered security solution. Such a solution should combine advanced artificial intelligence and machine learning, and include static layers, like domain and sender reputation screens. Implementing a security architecture that focuses on multiple factors in identifying and blocking malicious emails can help mitigate attacks. In addition, corporate users are encouraged to confirm content validity with an IT department ahead of clicking on questionable messages.