Inky has reported a new phishing attack designed to confuse Secure Email Gateways (SEG). The attack is using hidden text to stop the SEG rejecting the email as fraudulent. It is also taking advantage of the Unicode Soft Hyphen feature to hide the displayed text from the SEG engine. The result is that the email is delivered to the user, looks like a legitimate email and is likely to be successful at harvesting user credentials.
The email in question is a pretty standard one in phishing terms. It claims to be from Microsoft and tells the user that their Office 365 password is expiring. They are presented with a link in a box which will allow them to keep their current password. Clicking on the link, however, takes the user to a lookalike site which is where their credentials are harvested.
How does this work?
Inky explains the process in the blog. In short, the attacker uses hidden text to stop the SEG checking the sending domain. Searching the raw text of the email, for example, does not find Microsoft or Office 365. As the SEG cannot find those words, it does not check to see if the email came from a valid Microsoft domain.
However, this use of hidden text is well known, and an increasing number of security programmes search for it. To get around that, the attackers have used the Unicode Soft Hyphen. To the user, it is all invisible. In a text editor, the soft hyphen appears as you’d expect, a hyphen. However, the text editor also shows that every letter in Password expiry and Office 365 is separated by a soft hyphen.
What is important here is that the SEG also sees the soft hyphen. As such, the two phrases, Password expiry and Office 365, are not flagged at all. It is this that is defeating the SEG and failing to mark the email as malicious.
While this trick is pretty clever, Inky also reports that the phisher has tripped themselves up. For example, when the email renders, Password Expiry is not shown to the user. This is because of the way the phisher has hidden all CSS span elements. Unfortunately, Password Expiry is also inside a span. Oops!