Security researchers found a method to bypass the anti-phishing features of Microsoft 365, formerly Office 365, increasing the chances of users opening malicious emails.
The method alters the ‘First Contact Safety Tip’, an anti-phishing measure that alerts Outlook recipients when they receive an email from an unfamiliar address. The feature normally displays a message that states, “You don’t often get email from abc@example.com.”
Research conducted by William Moody and Wolfgang Ettlinger of Certitude concluded that the displayed message could be altered via CSS (Cascading Style Sheets) style tags as the message is added to the body of an HTML email and provided proof-of-concept. Through CSS embedded in the email, the message can be completely hidden while the email preview still includes the safety tip.
By using the following HTML code provided by Certitude, the message is made invisible to the email viewer:
The function of each field is as follows:
- a { display: none; }: The rule hides any anchor (<a>) tags, which stops the tip from being shown when a link is included.
- td div { color: white; font-size: opx; }: It controls the font and colour of the text, which can be changed to white and 0 to make it appear effectively invisible.
- table tbody tr td { background-color: white !important; color: white !important; }: By changing this rule to white, it makes any background and text appear hidden.
When an email is sent to a new recipient after the above CSS is used, the alert does not appear on the body of the email. After the company created a proof-of-concept and prepared an advisory for Microsoft, it conveyed the findings via the Microsoft Researcher Portal.
Microsoft responded to the analysts by deeming the finding valid. However, it does not meet their bar for immediate attention and patching as the flaw mainly applies to phishing threats. They further said that the finding had been marked for future review.
The analysts further found that Outlook icons added to encrypted and/or signed emails can also be changed using the same method. The First Contact Safety Tip is one of the many anti-phishing features available in Exchange Online Protection and Microsoft Defender for organisations working with Microsoft 365.
In the News: Parameter mismatch in Falcon caused global outage: CrowdStrike