The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

A new Business Email Compromise (BEC) operation aimed at Microsoft 365 consumers employs a variety of highly developed obfuscation techniques in phishing emails that can trick natural language processing filters and go unnoticed by users.

The operation, called One Font because of the way it conceals text in a one-point font size within mails, was initially spotted in September by cybersecurity researchers at email security firm Avanan.

According to a report issued by the researchers, threat actors are also hiding links within the Cascading Style Sheets (CSS) in their phishing emails.

This is yet another strategy used to baffle natural language filters such as Microsoft’s Natural Language Processing (NLP).

Cybersecurity specialist Jeremy Fuchs stated that the One Font operation also includes messages with links coded within the font> tag, and when combined with the other obfuscation tactics, reduces the potency of email filters that rely on natural language for evaluation.

A Similar Campaign Was Discovered in 2018

In 2018, researchers identified a similar operation dubbed ZeroFont, which employed similar approaches to evade Microsoft NLP in its Office 365 security solutions.

According to them, just like ZeroFont, One Font attacks Office 365 enterprises, an action that can result in BEC attacks, and eventually damage the company’s network if the emails aren’t detected and users are deceived into handing over their passwords.

The Campaign Explained

Once it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention.

Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.

The fraudulent link, according to Avanan analysts, directs victims to a phishing website where they appear to be typing their credentials in order to update their passwords. Instead, cybercriminals steal their credentials to use them for malicious purposes.

What Should Organizations Do?

According to Jeremy Fuchs, because end-users are unlikely to notice such obfuscation tactics, marking such emails as suspicious can be challenging.

He added that in order to avoid these attacks, businesses are advised to use a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation.

Using a cybersecurity strategy that relies on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help minimize attacks.

Source: Heimdal Security