Researchers Discover Microsoft 365 Anti-Phishing Feature Bypass -- Redmondmag.com

Researchers Discover Microsoft 365 Anti-Phishing Feature Bypass

By Chris Paoli
08/07/2024

Security researchers are warning that attackers can bypass Microsoft 365's phishing alert feature through the use of specially crafted emails.

Security consulting firm Certitude said that the issue is with Microsoft's "first contact safety tip" security feature. How it's supposed to work is that when a possible phishing email is identified, either by being the first time a message is received from a new recipient or by receiving a message from a recipient that doesn't often send messages, Windows will alert the user that the message may be malicious.

What Certitude discovered is that with a simple change to an unwanted email's HTML, the first contact safety tip warning can be hidden from the recipient." Although applying some more common CSS rules such as [display: none, height: 0px, and opacity: 0] to the table itself doesn't seem to work (either due to the inline CSS in the elements, or due to lack of support by the rendering engine Outlook uses), it is possible to change the background and font colors to white so that the alert is effectively invisible when rendered to the end user viewing the email," said Certitude.

Certitiude provided a proof of concept by inserting the following HTML code in an email:

<head>

  </head>

<head> 

<style>

a 

{ display: none; 

}

td div { 

color: white; 

font-size: 0px; 

} 

table tbody tr td { 

background-color: white !important; 

color: white !important; } 

</style>

</head> 

...[SNIP]...

With that inserted, the anti-phishing message at the top of a suspicious email is not visible to the receiver.

Certitiude said that this technique, coupled with additional HTML manipulation, could lead to an increase in successful phishing attacks. It went on to demonstrate how the body of an email can further be manipulated to designate an email as encrypted or signed, which may lull a user into a false sense of security.

After discovering this bypass, Certitude reached out to disclose the hole to Microsoft. The company responded that, while it doesn't refute the issue, it currently has no plans to address it:

"We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Dell Trims Sales Staff in AI-Focused Reorg

Enterprise IT giant Dell is poised to lay off thousands of workers, mostly in its sales units, in an AI-focused reorganization.
Researchers Discover Microsoft 365 Anti-Phishing Feature Bypass

Security researchers are warning that attackers can bypass Microsoft 365's phishing alert feature through the use of specially crafted emails.
'Google Is a Monopolist,' Court Rules in Landmark Search Antitrust Trial

In a major victory for U.S. antitrust regulators, a federal court on Monday ruled that Google used anti-competitive practices to secure and maintain a monopoly in the Internet search and advertising markets.
Breaking Down Continuous Threat Exposure Management

Being proactive is key to keeping your enterprise safe and your data secure. Learn more about Continuous Threat Exposure Management, and what it can do for your network.
Intel Prepares To Lay Off 15 Percent of Workforce

After a disappointing earnings report, Intel, long considered a bellwether of the enterprise tech industry, is taking drastic cost-cutting measures.