Microsoft 365 Flaw: Hackers Bypass Anti-phishing Protection

Microsoft 365 utilizes Exchange Online Protection (EOP) and Microsoft Defender to combat phishing attacks. One such measure is the First Contact Safety Tip in Outlook, which alerts users about receiving emails from unfamiliar addresses. 

It aims to raise awareness of potential phishing attempts, as security researchers have identified vulnerabilities that could allow malicious actors to bypass these anti-phishing measures. 

The First Contact Safety Tip, positioned at the beginning of an HTML email, can be manipulated visually through the application of CSS style tags. 

By embedding CSS directly within the email’s code, developers can modify the tip’s appearance, potentially affecting its prominence or clarity and potentially compromising its intended safety function. 

An experiment to conceal the First Contact Safety Tip within an HTML email has demonstrated that standard CSS techniques like `display: none` and `opacity: 0` are ineffective against Outlook’s rendering engine. 

By manipulating the background and font colors of the alert table to white, the safety tip becomes visually indistinguishable from the email’s background, effectively hiding it from the user and highlighting a potential vulnerability in Outlook’s email security measures. 

The HTML code effectively conceals an alert within an email by employing CSS to hide anchor elements, render table cell content invisible through zero font size and white text, and override table background and text colors to white, preventing the alert from being visually displayed in the email body. 

It demonstrates a phishing technique to mimic legitimate email encryption and signing indicators. By embedding custom HTML and base64 encoded images within an email, attackers can forge the appearance of Microsoft Outlook’s security badges, such as those indicating encryption and digital signatures. 

The use of the `mainTable` element with the `z-index` property, custom styling for the `signedBy` class, and positioning of `badge` elements are intended to create a visually convincing imitation of the genuine security indicators.

To avoid breaking text spoofing attempts in Outlook, the period character at the end of an email address should be replaced with a Unicode character that is not classified as a period because Outlook will automatically detect a regular period (U+002E) followed by an email address and convert it into a mailto link, altering the original text.  

Phishing attacks exploit user susceptibility by mimicking legitimate emails. While formatting discrepancies might alert some users, a single successful deception is sufficient for adversaries to compromise organizational security. Effective countermeasures necessitate robust email authentication and user education to mitigate these risks. 

According to Certitude, a proof-of-concept that demonstrates a potential vulnerability was sent to Microsoft through the Microsoft Security Response Center (MSRC). 

While the finding was validated as exploitable, primarily in phishing scenarios, Microsoft deemed it insufficiently critical for immediate patching, which has been logged for potential future remediation as part of broader product improvement efforts. 

Also Read:

• Hackers Can Steal Your Passwords Through HDMI Cables
• RHADAMANTHYS Weaponizes RAR Archives to Steal Your Logins