Cybersecurity analysts have revealed a startling new tactic used by cybercriminals to deploy malicious payloads through emails, capitalizing on the unsuspecting nature of many email users.
The tactic, known as the ZeroFont technique, has long been exploited in academic settings by students to artificially inflate the word count of their essays. However, its weaponization in phishing attacks marks a worrying first.
ISC Sans analyst Jan Kopriva shared his findings on this deceptive method. He warns it could radically shift the balance in favor of cyber adversaries in phishing campaigns, especially if the public remains uninformed about its existence and exploitative potential.
ZeroFont, as its name suggests, is a technique that uses invisible characters or words in email messages by setting the font size to zero. This renders the content imperceptible to human readers but remains discernible by Natural Language Processing (NLP) algorithms and other AI-driven systems.
It plays upon vulnerabilities in how email security platforms review email content. By meshing benign, invisible terms with dubious content that stays visible, the method aims to confound AI systems, affecting the outcome of security checks on emails.
One such malicious email, noted by Kopriva, capitalized on the ZeroFont technique to manipulate message previews in multiple email platforms, including Microsoft Outlook. The preview displayed a supposed signature, asserting that the email was "scanned and secured" by a reputed security tool.
However, upon opening, the email's header reads, "Job Offer | Employment Opportunity." The misleading security scan message at the start of the email could be concealed using the ZeroFont approach, eluding the user's attention but still being detected by NLP and AI platforms.
Such tactics instill a false sense of legitimacy and security, baiting recipients to engage with harmful emails. While Kopriva pinpointed this issue primarily in Outlook, other email platforms might also be susceptible if they don't screen for legitimate font sizes.
"Although it is a technique with only minor impact, it might still confuse some recipients into believing that a phishing message is trustworthy – especially if the text displayed in the' listing window 'was well chosen," commented Kopriva in a recent security advisory.
"It is, in any case, one more small addition to the threat actor toolbox which may be used to create more effective phishing campaigns, and it is therefore certainly good for us – as defenders – to be aware of it…"
With phishing campaigns continually evolving, it remains critical for individuals and organizations to stay informed of the latest tactics and maintain a vigilant approach to email security.