Cybercriminals could bypass phishing attacks protections and deliver malicious emails to the inboxes of their victims now exploiting a newly discovered vulnerability in Office 365. According to Avanan cloud security company, this cybersecurity problem consists in the use of zero-width spaces (ZWSPs) in the middle of malicious URLs within the emails’ RAW HTML.
Microsoft’s systems cannot recognize the URLs and Safe Links cannot protect users as those the URLs are already broken by this hacker technique.
But that's not all - zero-width spaces don’t render, and it makes the attack even more dangerous as the victim cannot notice the random special characters in the URL.
This vulnerability is not at all harmless as all Office 365 users are vulnerable to phishing attacks, even those who use Microsoft’s Office 365 Advanced Threat Protection. The new hacker attack manages to bypass both the URL reputation check and Safe Links protections.
“The vulnerability was discovered when we noticed a large number of hackers using zero-width spaces (ZWSPs) to obfuscate links in phishing emails to Office 365, hiding the phishing URL from Office 365 Security and Office 365 ATP,” Avanan’s cybersecurity experts say.
They also explain that ZWSPs are characters that render to spaces of zero-width, and can be considered as "empty space" characters. There are 5 ZWSPs: (Zero-Width Space), (Zero-Width Non-Joiner), (Zero-Width Joiner), (Zero-Width No-Break Space), and ０ (Full-Width Digit Zero).
Following current phishing attack champagne, “the Zero-Width Non-Joiner () is added to the middle of a malicious URL within the RAW HTML of an email,” Avanan adds. Therefore the email processing system cannot recognize the URL as legitimate and cannot apply protections.
The main goal of the current hacker campaign is to make the victims click on the malicious link in the e-mail, forwarding them to a credential stealing phishing site imitating a bank site. Avanan's cybersecurity experts have dubbed the new attack Z-WASP. In fact, it has evolved from previous attempts to bypass the Office 365 security - those were the baseStriker attack and ZeroFont attack.
Now, in their raw HTML form these zero-width spaces look like “a mishmash of numbers and special characters randomly inserted between the letters a word or a URL,” and they are invisible when rendered in the browser, thus making the URL to appear to be quite normal.
These ZWSPs are part of everyday Internet formatting, being used for formatting foreign languages, breaking long words at the end of a line and continuing them on the next line, fingerprinting articles and documents and etc.
This hacker attack's first wave with emails exploiting the flaw was detected on November 10. Last week, Microsoft released patches to fix the problem. However, as we all know, for users to be safe, they have to run the security updates right away and this is something not everyone does in time.