Microsoft 365 anti-phishing alert “erased” with one simple trick

Attackers looking for a way into organizations using Microsoft 365 can make an alert identifying unsolicited (and thus potential phishing) emails “disappear”.

“When an Outlook user receives an e-mail from an address they don’t typically communicate with, Outlook shows an alert which reads ‘You don’t often get email from [email protected]. Learn why this is important’. This is what Microsoft calls the First Contact Safety Tip, and it is one of the various anti-phishing measures available in Exchange Online Protection and Microsoft Defender to organizations using [Microsoft] 365,” Certitude researchers William Moody and Wolfgang Ettlinger explained.

But the alert can be made invisible by changing its background and text colors to white, through CSS style tags.

The trick

Cascading Style Sheets (CSS) is a language that is used to describe how a document written in a markup language (e.g., HTML or XML) will be presented.

Since the aforementioned alert is attached to the body of an HTML email, its presentation can be altered via CSS style tags.

The usual tricks – such as marking the visual element in such a way that it won’t be displayed, that it’s completely opaque, or that its hight is non-existent (0px) – don’t work here, they found.

But setting the background and text color to white does. And while the email preview with still show the Safety Tip, the body of the email won’t:

The alert can’t be seen in the email body (Source: CertITude)

Similarly, to improve the chances of the email being considered legitimate and benign, phishers can also add more HTML code to fake Outlook’s “Signed by [email protected]” declaration.

They must make sure to change one element of the email address, though, so that Outlook doesn’t detect it as such and create a mailto link, thus changing the style of the statement and making it incongruent with the rest of the text in the email body. An easy trick for that is to change the period in the email with the Unicode character that looks the same.

Not foolproof, but…

Though these tricks are unlikely to fool many users, “it only takes one person to fall for the phishing attack for an adversary to gain a foothold in the organization,” the researchers pointed out. (And email attacks have skyrocketed.)

Unfortunately for Microsoft 365 and Outlook users, these tricks work and will work until Microsoft decides to do something about them.

After getting notified, the company said that the issue does not meet their bar for immediate servicing. “However, we have still marked your finding for future review as an opportunity to improve our products,” Microsoft said.