Cyber-criminals are currently using a trick that allows them to bypass Microsoft's security filters and deliver spam and phishing emails to Office 365 email accounts.

Called ZeroFont, the technique is not new, being known for decades, and relies on interposing zero-width font characters inside normal text.

While a human reader will not see the zero-width characters, the entire text, including the hidden characters, will be visible to email security software.

The goal is to trick the email security system into thinking this is a giant block of rambling text, but show human recipients the "lure" of the phishing emails.

ZeroFont technique GIF

< span style="FONT-SIZE: 0px" >This is how you hide text with the ZeroFont technique < /span >

The technique has been known and used for years, and most email security systems will usually mark emails as suspicious if they contain text with zero-width settings.

Office 365 cannot detect zero-width fonts

But according to Avanan, a company specialized in cloud security, Microsoft's Office 365 platform does not mark these emails as malicious.

Avanan says ZeroFont is efficient mainly because of Microsoft's reliance on natural language processing to scan emails and determine if a message's content contains text-based indicators often found in phishing or fraud emails, such as requests for payments, various keywords, and more.

By inserting large quantities of hidden zero-width text inside an email's body, crooks are hiding these indicators from the Office 365 natural language processing engine, effectively drowning their "lure" in a sea of random words, which are invisible to the human eye, but not to Microsoft's system.

Avanan says it detected the ZeroFont technique currently being used in the wild, alongside other tricks that involve Punycode, Unicode, or Hexadecimal Escape Characters.

Last month, Avanan researchers also discovered that Office 365 was also not detecting links to phishing sites that were split into two parts using the < base > HTML tag.

Related Articles:

Microsoft Will Soon Send Your Office 365 Users Tips and Training Emails

Zoho Suspended by Domain Registrar Over Phishy Emails

Microsoft's Background Blur for Microsoft Teams is now Generally Available

Gmail Bugs Allow Changing From: Field and Spoofing Recipient's Address

Russian Banks Under Phishing Attack