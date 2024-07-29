While ZeroFont phishing attacks date back many years as a way for bad actors to get malicious emails through spam filters, ZeroFont phishing techniques and objectives continue to evolve.

Recently, for example, cybersecurity researchers have observed malicious hackers using updated twists on ZeroFont scams to target Microsoft 365 users.

How do ZeroFont attacks work? Early ZeroFont attacks involved shrinking the font size in emails to zero to make telltale signs of spam invisible to email security scanners. This increased the likelihood the messages would successfully reach end users' inboxes. In 2018, researchers from email security provider Avanan coined the term ZeroFont to describe a phishing campaign that targeted Microsoft's natural language processing (NLP) scanners. The attack worked by obscuring words that might indicate fraud, such as a signature that didn't match the sender's domain, with nonsense text that -- because it was set to zero pixels -- was invisible to the end user. So, for example, while the NLP scanner might see "llksdjflkjMicrosoftlkdjasf," the end user would see "Microsoft." Three years later, Avanan found another ZeroFont attack that penetrated more than 1,000 email inboxes, most belonging to workers from the financial sector. More recently, in late 2023, cybersecurity analyst Jan Kopřiva spotted a new ZeroFont attack in which the aim of the threat actors had evolved. Rather than tricking email scanners, the attackers used ZeroFont techniques to trick Microsoft Outlook users. Kopřiva outlined the attack in a SANS Internet Storm Center blog post, describing how an email message -- appearing to contain a possible job offer -- rendered differently in the inbox preview window than it did when the message was opened. Specifically, the message preview contained an official-appearing notation that it had been "scanned and secured," offering false assurance that the message was trustworthy and increasing the likelihood the user would engage with it. The phrase did not appear in the message body because it was set to a zero-pixel font size. The preview pane in Outlook, however, displayed all text at the beginning of the message, regardless of font size, color and transparency. According to Kopřiva, other email clients' preview functions work similarly. The aim, as in all phishing emails, is to make the email compelling and credible enough that users engage with it, even if the sender is an unfamiliar or suspicious source. Then, the attacker can try to steal login credentials, access sensitive data or spread ransomware or other malware. Cybersecurity researchers have observed malicious hackers using updated twists on ZeroFont scams to target Microsoft 365 users.