Microsoft 365 Phishing Alert Can Be Hidden with CSS
Recent research by cybersecurity experts has uncovered a vulnerability in Microsoft 365’s anti-phishing mechanisms, which can be exploited using CSS. This flaw allows attackers to bypass safety alerts, raising concerns about the robustness of Microsoft’s phishing defenses.
Microsoft 365, formerly known as Office 365, incorporates various anti-phishing measures to protect its users. One such measure is the First Contact Safety Tip, which alerts users when they receive emails from unfamiliar addresses. This alert is typically prepended to the body of an HTML email, signaling potential risks.
However, William Moody and Wolfgang Ettlinger from Certitude demonstrated that this alert could be effectively hidden using CSS modifications. By altering the background and font colors to white, attackers can render the alert invisible to the recipient, thereby nullifying its intended protective function.
To illustrate the vulnerability, Certitude crafted a proof-of-concept email that concealed the safety tip through specific CSS rules. Although common CSS tactics like setting the display to none or adjusting the height and opacity did not work due to Outlook’s rendering engine constraints, changing the color properties proved successful. This approach ensures that the alert is present but invisible, misleading users and increasing the likelihood of successful phishing attempts.
Moreover, the researchers extended their findings to demonstrate how attackers could spoof encrypted and signed email icons in Microsoft Outlook. By using Unicode characters and specific CSS rules, they showed how it is possible to mimic these icons convincingly. While vigilant users might notice minor formatting discrepancies, less observant individuals could easily be deceived, potentially compromising organizational security.
Following the discovery, Certitude responsibly disclosed the issue to Microsoft through the Microsoft Researcher Portal. Despite acknowledging the validity of the findings, Microsoft decided not to address the issue immediately, citing that it primarily refers to phishing attacks. They have, however, marked the findings for future review to improve their products.
Read more on phishing: Phishing Attacks Targeting US and European Organizations Double