News: 1723036987

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

(2024/08/07)


Researchers say cybercriminals can have fun bypassing one of Microsoft's anti-phishing measures in Outlook with some simple CSS tweaks.

William Moody, IT security consultant at Certitude, blogged today about how First Contact Safety Tip – a banner displayed in Outlook when a user receives a message from an address that typically doesn't contact them – can be hidden (mostly) using CSS style tags.

Because the First Contact Safety Tip is added to the HTML code of an email before the message content, all a phisher would have to do is craft an email solely in HTML, changing the banner's background and font both to white, and voila, the banner still exists but is no longer visible.

[1]

Moody said: "Although applying some more common CSS rules such as display: none , height: 0px , and opacity: 0 to the table itself doesn't seem to work, either due to the inline CSS in the elements or due to lack of support by the rendering engine Outlook uses, it is possible to change the background and font colors to white so that the alert is effectively invisible when rendered to the end user viewing the email."

[2]

[3]

The only drawback to this one is that the email preview displayed in the left-side pane in Outlook will still display the First Contact Safety Tip message in small, grey text under the [4]email body preview.

That said, the preview is small and will likely be truncated on most display setups, making it easy to miss to those unaware of the message and working too quickly to pay attention.

[5]

As an added layer of perceived legitimacy to a potential phishing email, the same method can be applied to add a seemingly legitimate note to show the message was encrypted or signed.

Again, there are a few caveats to this. It's not a like-for-like spoof – the formatting will look different to more attentive or experienced [6]Outlook users and it takes a little tweaking to achieve a halfway convincing end result.

[7]Users call on Microsoft to update Outlook's friendly name feature

[8]New Outlook set for GA despite missing some key features

[9]Police take just 2 days to recover $40M stolen in business email scam

[10]Microsoft punches back at Delta Air Lines and its legal threats

For example, let's say we wanted to add a note to an email that said: "Signed by c.jones@elreg.com" – you would have to replace the period in the email address with the Unicode character U+2024 to prevent a mailto link from being generated, which would diverge from what's normally displayed.

However, as Moody [11]noted : "It only takes one person to fall for the [12]phishing attack for an adversary to gain a foothold in the organization."

The researchers, Moody and Wolfgang Ettlinger, informed Microsoft about this in February but their findings aren't going to be addressed in the short term.

[13]

"We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks," Microsoft told the pair.

"However, we have still marked your finding for future review as an opportunity to improve our products." ®

Get our [14]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrOaK-FDMakn8JOTZBNHzQAAAAk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrOaK-FDMakn8JOTZBNHzQAAAAk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrOaK-FDMakn8JOTZBNHzQAAAAk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://www.theregister.com/2023/08/23/email_like_a_pro/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrOaK-FDMakn8JOTZBNHzQAAAAk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/08/06/users_call_for_microsoft_to/

[7] https://www.theregister.com/2024/08/06/users_call_for_microsoft_to/

[8] https://www.theregister.com/2024/07/12/new_outlook_set_for_ga/

[9] https://www.theregister.com/2024/08/07/police_take_just_two_days/

[10] https://www.theregister.com/2024/08/07/microsoft_delta_fight/

[11] https://certitude.consulting/blog/en/o365-anti-phishing-measures/

[12] https://www.theregister.com/2024/05/23/google_phishing_tests/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrOaK-FDMakn8JOTZBNHzQAAAAk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://whitepapers.theregister.com/



Email is for text

speleothem

Can anybody tell me, is there ANY legitimate use case for anything other than plain text in the subject line or body of an email message?

Allowing anything that isn't human-readable, anything that's unannounced executable code, is an open invitation to abuse.

Attachments are an obvious exception, but we ought to be quarantining and sandboxing those by default anyway. Unfortunately, mainstream email clients open attachments by default without asking the user first.

I hear China is launching a new satellite constellation. If they're going to be the next global military superpower, they ought to use that power for good by nuking HTML email from space ;-) While they're at it, they should nuke emojis from space as well!

Re: Email is for text

sitta_europea

I *only* read emails in plain text. Even the ones sent in HTML (if I can be bothered - usually I can't).

So, anti-phishing measures are a simple HTML thing

Pascal Monett

I realize that this is way easier than coding an analysis into the Outlook client that measures what already exists and pops up a non-hackable alert when a new email address is discovered.

Now tell me why Redmond decided not to do that.

I mean, I'm an average developer and I'm pretty sure I could do that, so ?

Re: So, anti-phishing measures are a simple HTML thing

wolfetone

To be fair a lot of these "anti-" whatever are always in response to something, never in anticipation of it. Often, really, if we go and say "We need to do X for the possibility of Y", we're asked if "Y" is an actual threat or used in the wild. We will go "no, but it could be", the answer will generally be "We'll do Y when it happens". Because then, when it gets exploited, the gaffer can always release a press statement saying "We were the victim of a sophisticated attack..."

Re: So, anti-phishing measures are a simple HTML thing

Anna Nymous

> the gaffer can always release a press statement saying "We were the victim of a sophisticated attack..."

With an additional rider of "... which no-one could have foreseen"

Re: So, anti-phishing measures are a simple HTML thing

Anonymous Coward

to be fair outlook is just a browser container, it stopped being a proper app quite a while ago.

The menu and everything are html junk, thats why different parts of it goes blank until you close and restart it sometimes.

The html render engine is just really bad

Priorities, yes...

b0llchit

...does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks...

Between the letters was embedded another message reading: You must present us with a ClownStrike scale event with proof of loss of business tabulated and sent in triplicate (*) to get to the top of the list.

Do they ever learn (**) ?

(*) it helps if it has been sent in, sent back, queried, lost, found, sent to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters (***)

(**) obviously a rhetorical question

(***) lets just feed all MS software to the Ravenous Bugblatter Beast of Traal and call it a day

sitta_europea

At least half of the HTML email spam I see uses tricks similar to this to try to defeat my anti-spam measures.

It all fails.

Why do I see the spam, you ask? So that I can confirm that it's reported correctly.

Being ugly isn't illegal. Yet.