News

Researchers Discover Microsoft 365 Anti-Phishing Feature Bypass

Security researchers are warning that attackers can bypass Microsoft 365's phishing alert feature through the use of specially crafted emails.

Security consulting firm Certitude said that the issue is with Microsoft's "first contact safety tip" security feature. How it's supposed to work is that when a possible phishing email is identified, either by being the first time a message is received from a new recipient or by receiving a message from a recipient that doesn't often send messages, Windows will alert the user that the message may be malicious.

What Certitude discovered is that with a simple change to an unwanted email's HTML, the first contact safety tip warning can be hidden from the recipient." Although applying some more common CSS rules such as [display: none, height: 0px, and opacity: 0] to the table itself doesn't seem to work (either due to the inline CSS in the elements, or due to lack of support by the rendering engine Outlook uses), it is possible to change the background and font colors to white so that the alert is effectively invisible when rendered to the end user viewing the email," said Certitude.

Certitiude provided a proof of concept by inserting the following HTML code in an email:

<head>
</head>
<head>
<style>
a
{ display: none;
}
td div {
color: white;
font-size: 0px;
}
table tbody tr td {
background-color: white !important;
color: white !important; }
</style>
</head>
...[SNIP]...

 

With that inserted, the anti-phishing message at the top of a suspicious email is not visible to the receiver.

Certitiude said that this technique, coupled with additional HTML manipulation, could lead to an increase in successful phishing attacks. It went on to demonstrate how the body of an email can further be manipulated to designate an email as encrypted or signed, which may lull a user into a false sense of security.

After discovering this bypass, Certitude reached out to disclose the hole to Microsoft. The company responded that, while it doesn't refute the issue, it currently has no plans to address it:

"We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

comments powered by Disqus

Subscribe on YouTube