Skip to main content

New Trick Lets Hackers Bypass Office 365 Email Security

By June 29, 2018June 3rd, 2022Cybersecurity

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts.  The gimmick?  Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences.  What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font.  Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts.  Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly.  Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view).  Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new.  They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled.  Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.