Beware! Phishing Email Campaign Uses Tiny Fonts to Bypass Protection

Security researchers with Avanan, a part of the CheckPoint Security family, discovered a recent phishing email campaign targeting business emails. The phishing emails were using a novel technique to get around automated protection filters.

Avanan registered the campaign's activity back in September 2021. This particular effort attempted to compromise Microsoft 365 user accounts and used multiple methods to obfuscate the malicious components of the messages.

The campaign was named OnePoint by the security team due to the fact that it hides text strings in the body of the emails, using a font that is rendered as a single pixel per letter on the screen, making it virtually invisible.

Another obfuscation tactic used in the phishing emails included the nesting of malicious links inside the CSS component of the emails. The purpose of using this sort of nesting and obfuscation is that it managed to confuse natural language filters, such as Microsoft's own NLP or "natural language processing" technology.

Malicious links are also embedded inside the phishing campaign's HTML font tags in the emails. This further serves to mask the malicious content and confuse the automated filters.

The company that detected this September 2021 campaign also spotted a similar one three years ago, when bad actors were using zero-size fonts that never show up on the user's screen, not even as a single row of pixels.

The hook used in the OnePoint phishing campaign is a fake "your password is about to expire" message. The victim is then lured into entering their credentials into fake login forms which simply funnel the entered login data strings to the bad actors' servers.

As an added defense against similar attacks that use novel obfuscation techniques, security researchers recommend using a secondary, machine-learning AI layer of security added on top of any natural language filters.